07-21-2010 01:53 AM
Hello!
I need to establish vpn connection over internet.
On one side I have cisco 3845 which is directly connected to internet.
On another side I have 2801, which is behind zyxel adsl modem in router mode (i.e. real ip is on modem, modem do nat for cisco).
sh crypto sess on 2801:
Interface: FastEthernet0/0
Session status: UP-ACTIVE
Peer: 78.85.33.237 port 4500
IKE SA: local 192.168.107.1/4500 remote 78.85.133.237/4500 Active
IPSEC FLOW: permit 47 0.0.0.0/0.0.0.0 host 78.85.133.237
Active SAs: 6, origin: crypto map
sh crypto sess on 3845:
Interface: Serial3/0.200
Session status: UP-ACTIVE
Peer: 78.85.37.90 port 10017
IKE SA: local 78.85.133.237/4500 remote 78.85.137.90/10017 Active
IPSEC FLOW: permit 47 host 78.85.133.237 0.0.0.0/0.0.0.0
Active SAs: 6, origin: crypto map
But traffic doesn't pass.
I see the same error on both sides:
%CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=192.168.107.1, prot=17, spi=0x32040000(839122944), srcaddr=78.85.133.237
NAT-T is on:
crypto ipsec nat-transparency udp-encapsulation
Could you tell me how can I solve this problem?
07-21-2010 02:07 AM
btw, I changed addresses, but did a mistake, so there is address difference in real configuration. :-)
07-21-2010 02:18 PM
Are you configuring GRE over IPsec tunnel?
Can you share the output of the following from both devices:
show cry isa sa
show cry ipsec sa
07-21-2010 09:55 PM
Hello!
Yes, I use GRE over ipsec.
I changed configuration, just because I use 3845 in production and it is not easy to run debugs on it.
So now configuration is following:
2801-pix515--internet-zyxel adsl modem-2801.
2801 config on left side:
crypto isakmp KEY address A.85.37.90
crypto ipsec transform-set mpr-vtk ah-sha-hmac esp-aes 256 comp-lzs
crypto map mpr-vtk-map 10 ipsec-isakmp
set peer B.85.37.90
set transform-set mpr-vtk
match address 112
access-list 112 permit gre any any
interface Tunnel0
ip address 192.168.200.102 255.255.255.252
tunnel source FastEthernet0/0
tunnel destination B.85.37.90
2801 on right side:
crypto isakmp key MPRmPr address A.80.32.213
crypto ipsec transform-set mpr-vtk ah-sha-hmac esp-aes 256 comp-lzs
crypto map mpr-vtk-map 10 ipsec-isakmp
set peer A.80.32.213
set transform-set mpr-vtk
match address 112
access-list 112 permit gre any any
interface Tunnel1
ip address 192.168.200.101 255.255.255.252
tunnel source FastEthernet0/0
tunnel destination B.85.33.237
output, left 2801:
show cry isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
B.85.37.90 192.168.22.22 QM_IDLE 1003 ACTIVE
show cry ipsec sa
interface: FastEthernet0/0
Crypto map tag: mpr-vtk-map, local addr 192.168.22.22
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/47/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/47/0)
current_peer 78.85.37.90 port 4500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 24, #pkts encrypt: 24, #pkts digest: 24
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 24, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 192.168.22.22, remote crypto endpt.: B.85.37.90
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x35BD59A1(901601697)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x4D6FFB0E(1299184398)
transform: esp-256-aes ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2001, flow_id: FPGA:1, sibling_flags 80000076, crypto map: mpr-vtk-map
sa timing: remaining key lifetime (k/sec): (4487476/2411)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
spi: 0xFDF4294A(4260637002)
transform: ah-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2001, flow_id: FPGA:1, sibling_flags 80000076, crypto map: mpr-vtk-map
sa timing: remaining key lifetime (k/sec): (4487476/2411)
replay detection support: Y
Status: ACTIVE
inbound pcp sas:
spi: 0xD249(53833)
transform: comp-lzs ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2001, flow_id: FPGA:1, sibling_flags 80000076, crypto map: mpr-vtk-map
sa timing: remaining key lifetime (k/sec): (4487476/2411)
replay detection support: Y
Status: ACTIVE
outbound esp sas:
spi: 0x35BD59A1(901601697)
transform: esp-256-aes ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2002, flow_id: FPGA:2, sibling_flags 80000076, crypto map: mpr-vtk-map
sa timing: remaining key lifetime (k/sec): (4487471/2411)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
spi: 0xFC573A77(4233575031)
transform: ah-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2002, flow_id: FPGA:2, sibling_flags 80000076, crypto map: mpr-vtk-map
sa timing: remaining key lifetime (k/sec): (4487471/2411)
replay detection support: Y
Status: ACTIVE
outbound pcp sas:
spi: 0x7882(30850)
transform: comp-lzs ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2002, flow_id: FPGA:2, sibling_flags 80000076, crypto map: mpr-vtk-map
sa timing: remaining key lifetime (k/sec): (4487471/2411)
replay detection support: Y
Status: ACTIVE
right 2801:
show cry isa sa
dst src state conn-id slot status
192.168.107.1 A.80.32.213 QM_IDLE 9 0 ACTIVE
interface: FastEthernet0/0
Crypto map tag: mpr-vtk-map, local addr 192.168.107.1
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/47/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/47/0)
current_peer 88.80.32.213 port 4500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 5, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 192.168.107.1, remote crypto endpt.: A.80.32.213
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x4D6FFB0E(1299184398)
inbound esp sas:
spi: 0x35BD59A1(901601697)
transform: esp-256-aes ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 3004, flow_id: FPGA:4, crypto map: mpr-vtk-map
sa timing: remaining key lifetime (k/sec): (4579927/2253)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
spi: 0xFC573A77(4233575031)
transform: ah-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 3004, flow_id: FPGA:4, crypto map: mpr-vtk-map
sa timing: remaining key lifetime (k/sec): (4579927/2253)
replay detection support: Y
Status: ACTIVE
inbound pcp sas:
spi: 0x7882(30850)
transform: comp-lzs ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 3004, flow_id: FPGA:4, crypto map: mpr-vtk-map
sa timing: remaining key lifetime (k/sec): (4579927/2253)
replay detection support: Y
Status: ACTIVE
outbound esp sas:
spi: 0x4D6FFB0E(1299184398)
transform: esp-256-aes ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 3003, flow_id: FPGA:3, crypto map: mpr-vtk-map
sa timing: remaining key lifetime (k/sec): (4579926/2253)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
spi: 0xFDF4294A(4260637002)
transform: ah-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 3003, flow_id: FPGA:3, crypto map: mpr-vtk-map
sa timing: remaining key lifetime (k/sec): (4579926/2253)
replay detection support: Y
Status: ACTIVE
outbound pcp sas:
spi: 0xD249(53833)
transform: comp-lzs ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 3003, flow_id: FPGA:3, crypto map: mpr-vtk-map
sa timing: remaining key lifetime (k/sec): (4579926/2252)
replay detection support: Y
Status: ACTIVE
Thank you!
07-22-2010 02:54 AM
btw, all works OK, if 2801 has real ip on it's interface (tested on different 2801, but on the same 3845).
so problem is somewhere in nat...
07-23-2010 04:04 AM
and, as i see in monitor capture there are udp encapsulated esp packets, but they are just not decoded.
looks like ios bug as usual :-)
07-23-2010 01:26 PM
First off since behind a NAT, can you configure your transform set to "mode transport"? Do this on both sides and clear the tunnels and see if the behavior changes.
config t
crypto ipsec transform-set mpr-vtk ah-sha-hmac esp-aes 256 comp-lzs
mode transport
I have also seen some issues with using ah and esp, but if memory serves me right it didn't affect these platforms.
07-25-2010 08:45 PM
Hello!
I tried mode trunsport, result is the same :-(
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: