nat transparency and %CRYPTO-4-RECVD_PKT_INV_SPI

Unanswered Question

Hello!


I need to establish vpn connection over internet.

On one side I have cisco 3845 which is directly connected to internet.

On another side I have 2801, which is behind zyxel adsl modem in router mode (i.e. real ip is on modem, modem do nat for cisco).


sh crypto sess on 2801:


Interface: FastEthernet0/0
Session status: UP-ACTIVE    
Peer: 78.85.33.237 port 4500
  IKE SA: local 192.168.107.1/4500 remote 78.85.133.237/4500 Active
  IPSEC FLOW: permit 47 0.0.0.0/0.0.0.0 host 78.85.133.237
        Active SAs: 6, origin: crypto map



sh crypto sess on 3845:


Interface: Serial3/0.200
Session status: UP-ACTIVE    
Peer: 78.85.37.90 port 10017
  IKE SA: local 78.85.133.237/4500 remote 78.85.137.90/10017 Active
  IPSEC FLOW: permit 47 host 78.85.133.237 0.0.0.0/0.0.0.0
        Active SAs: 6, origin: crypto map




But traffic doesn't pass.


I see the same error on both sides:


%CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=192.168.107.1, prot=17, spi=0x32040000(839122944), srcaddr=78.85.133.237


NAT-T is on:

crypto ipsec nat-transparency udp-encapsulation



Could you tell me how can I solve this problem?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jennifer Halim Wed, 07/21/2010 - 14:18
User Badges:
  • Cisco Employee,

Are you configuring GRE over IPsec tunnel?


Can you share the output of the following from both devices:

show cry isa sa

show cry ipsec sa


Hello!


Yes, I use GRE over ipsec.


I changed configuration, just because I use 3845 in production and it is not easy to run debugs on it.

So now configuration is following:


2801-pix515--internet-zyxel adsl modem-2801.


2801 config on left side:


crypto isakmp KEY address A.85.37.90


crypto ipsec transform-set mpr-vtk ah-sha-hmac esp-aes 256 comp-lzs


crypto map mpr-vtk-map 10 ipsec-isakmp
set peer B.85.37.90
set transform-set mpr-vtk
match address 112


access-list 112 permit gre any any



interface Tunnel0
  ip address 192.168.200.102 255.255.255.252
tunnel source FastEthernet0/0
tunnel destination B.85.37.90



2801 on right side:


crypto isakmp key MPRmPr address A.80.32.213


crypto ipsec transform-set mpr-vtk ah-sha-hmac esp-aes 256 comp-lzs


crypto map mpr-vtk-map 10 ipsec-isakmp
  set peer A.80.32.213
set transform-set mpr-vtk
match address 112




access-list 112 permit gre any any


interface Tunnel1
ip address 192.168.200.101 255.255.255.252
tunnel source FastEthernet0/0
tunnel destination B.85.33.237



output, left 2801:

show cry isa sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
B.85.37.90     192.168.22.22   QM_IDLE           1003 ACTIVE


show cry ipsec sa


interface: FastEthernet0/0
    Crypto map tag: mpr-vtk-map, local addr 192.168.22.22


   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/47/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/47/0)
   current_peer 78.85.37.90 port 4500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 24, #pkts encrypt: 24, #pkts digest: 24
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 24, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 1, #recv errors 0


     local crypto endpt.: 192.168.22.22, remote crypto endpt.: B.85.37.90
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: 0x35BD59A1(901601697)
     PFS (Y/N): N, DH group: none


     inbound esp sas:
      spi: 0x4D6FFB0E(1299184398)
        transform: esp-256-aes ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 2001, flow_id: FPGA:1, sibling_flags 80000076, crypto map: mpr-vtk-map
        sa timing: remaining key lifetime (k/sec): (4487476/2411)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE


     inbound ah sas:
      spi: 0xFDF4294A(4260637002)
        transform: ah-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 2001, flow_id: FPGA:1, sibling_flags 80000076, crypto map: mpr-vtk-map
        sa timing: remaining key lifetime (k/sec): (4487476/2411)
        replay detection support: Y
        Status: ACTIVE


     inbound pcp sas:
      spi: 0xD249(53833)
        transform: comp-lzs ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 2001, flow_id: FPGA:1, sibling_flags 80000076, crypto map: mpr-vtk-map
        sa timing: remaining key lifetime (k/sec): (4487476/2411)
        replay detection support: Y
        Status: ACTIVE


     outbound esp sas:
      spi: 0x35BD59A1(901601697)
        transform: esp-256-aes ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 2002, flow_id: FPGA:2, sibling_flags 80000076, crypto map: mpr-vtk-map
        sa timing: remaining key lifetime (k/sec): (4487471/2411)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE


     outbound ah sas:
      spi: 0xFC573A77(4233575031)
        transform: ah-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 2002, flow_id: FPGA:2, sibling_flags 80000076, crypto map: mpr-vtk-map
        sa timing: remaining key lifetime (k/sec): (4487471/2411)
        replay detection support: Y
        Status: ACTIVE


     outbound pcp sas:
      spi: 0x7882(30850)
        transform: comp-lzs ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 2002, flow_id: FPGA:2, sibling_flags 80000076, crypto map: mpr-vtk-map
        sa timing: remaining key lifetime (k/sec): (4487471/2411)
        replay detection support: Y
        Status: ACTIVE






right 2801:


show cry isa sa
dst             src             state          conn-id slot status
192.168.107.1   A.80.32.213    QM_IDLE              9    0 ACTIVE


interface: FastEthernet0/0
    Crypto map tag: mpr-vtk-map, local addr 192.168.107.1


   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/47/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/47/0)
   current_peer 88.80.32.213 port 4500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 5, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0


     local crypto endpt.: 192.168.107.1, remote crypto endpt.: A.80.32.213
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: 0x4D6FFB0E(1299184398)


     inbound esp sas:
      spi: 0x35BD59A1(901601697)
        transform: esp-256-aes ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 3004, flow_id: FPGA:4, crypto map: mpr-vtk-map
        sa timing: remaining key lifetime (k/sec): (4579927/2253)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE


     inbound ah sas:
      spi: 0xFC573A77(4233575031)
        transform: ah-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 3004, flow_id: FPGA:4, crypto map: mpr-vtk-map
        sa timing: remaining key lifetime (k/sec): (4579927/2253)
        replay detection support: Y
        Status: ACTIVE


     inbound pcp sas:
      spi: 0x7882(30850)
        transform: comp-lzs ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 3004, flow_id: FPGA:4, crypto map: mpr-vtk-map
        sa timing: remaining key lifetime (k/sec): (4579927/2253)
        replay detection support: Y
        Status: ACTIVE


     outbound esp sas:
      spi: 0x4D6FFB0E(1299184398)
        transform: esp-256-aes ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 3003, flow_id: FPGA:3, crypto map: mpr-vtk-map
        sa timing: remaining key lifetime (k/sec): (4579926/2253)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE


     outbound ah sas:
      spi: 0xFDF4294A(4260637002)
        transform: ah-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 3003, flow_id: FPGA:3, crypto map: mpr-vtk-map
        sa timing: remaining key lifetime (k/sec): (4579926/2253)
        replay detection support: Y
        Status: ACTIVE


     outbound pcp sas:
      spi: 0xD249(53833)
        transform: comp-lzs ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 3003, flow_id: FPGA:3, crypto map: mpr-vtk-map
        sa timing: remaining key lifetime (k/sec): (4579926/2252)
        replay detection support: Y
        Status: ACTIVE




Thank you!

mireynol Fri, 07/23/2010 - 13:26
User Badges:

First off since behind a NAT, can you configure your transform set to "mode transport"?  Do this on both sides and clear the tunnels and see if the behavior changes.


config t

crypto ipsec transform-set mpr-vtk ah-sha-hmac esp-aes 256 comp-lzs

mode transport


I have also seen some issues with using ah and esp, but if memory serves me right it didn't affect these platforms.

Actions

This Discussion