nat transparency and %CRYPTO-4-RECVD_PKT_INV_SPI

dm · ‎07-21-2010

Hello!

I need to establish vpn connection over internet.

On one side I have cisco 3845 which is directly connected to internet.

On another side I have 2801, which is behind zyxel adsl modem in router mode (i.e. real ip is on modem, modem do nat for cisco).

sh crypto sess on 2801:

Interface: FastEthernet0/0
Session status: UP-ACTIVE
Peer: 78.85.33.237 port 4500
IKE SA: local 192.168.107.1/4500 remote 78.85.133.237/4500 Active
IPSEC FLOW: permit 47 0.0.0.0/0.0.0.0 host 78.85.133.237
Active SAs: 6, origin: crypto map

sh crypto sess on 3845:

Interface: Serial3/0.200
Session status: UP-ACTIVE
Peer: 78.85.37.90 port 10017
IKE SA: local 78.85.133.237/4500 remote 78.85.137.90/10017 Active
IPSEC FLOW: permit 47 host 78.85.133.237 0.0.0.0/0.0.0.0
Active SAs: 6, origin: crypto map

But traffic doesn't pass.

I see the same error on both sides:

%CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=192.168.107.1, prot=17, spi=0x32040000(839122944), srcaddr=78.85.133.237

NAT-T is on:

crypto ipsec nat-transparency udp-encapsulation

Could you tell me how can I solve this problem?

dm · ‎07-21-2010

btw, I changed addresses, but did a mistake, so there is address difference in real configuration. :-)

Jennifer Halim · ‎07-21-2010

Are you configuring GRE over IPsec tunnel?

Can you share the output of the following from both devices:

show cry isa sa

show cry ipsec sa

dm · ‎07-21-2010

Hello!

Yes, I use GRE over ipsec.

I changed configuration, just because I use 3845 in production and it is not easy to run debugs on it.

So now configuration is following:

2801-pix515--internet-zyxel adsl modem-2801.

2801 config on left side:

crypto isakmp KEY address A.85.37.90

crypto ipsec transform-set mpr-vtk ah-sha-hmac esp-aes 256 comp-lzs

crypto map mpr-vtk-map 10 ipsec-isakmp
set peer B.85.37.90
set transform-set mpr-vtk
match address 112

access-list 112 permit gre any any

interface Tunnel0
ip address 192.168.200.102 255.255.255.252
tunnel source FastEthernet0/0
tunnel destination B.85.37.90

2801 on right side:

crypto isakmp key MPRmPr address A.80.32.213

crypto ipsec transform-set mpr-vtk ah-sha-hmac esp-aes 256 comp-lzs

crypto map mpr-vtk-map 10 ipsec-isakmp
set peer A.80.32.213
set transform-set mpr-vtk
match address 112

access-list 112 permit gre any any

interface Tunnel1
ip address 192.168.200.101 255.255.255.252
tunnel source FastEthernet0/0
tunnel destination B.85.33.237

output, left 2801:

show cry isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
B.85.37.90 192.168.22.22 QM_IDLE 1003 ACTIVE

show cry ipsec sa

interface: FastEthernet0/0
Crypto map tag: mpr-vtk-map, local addr 192.168.22.22

   protected vrf: (none)
   local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/47/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/47/0)
   current_peer 78.85.37.90 port 4500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 24, #pkts encrypt: 24, #pkts digest: 24
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 24, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 1, #recv errors 0

     local crypto endpt.: 192.168.22.22, remote crypto endpt.: B.85.37.90
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: 0x35BD59A1(901601697)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x4D6FFB0E(1299184398)
        transform: esp-256-aes ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 2001, flow_id: FPGA:1, sibling_flags 80000076, crypto map: mpr-vtk-map
        sa timing: remaining key lifetime (k/sec): (4487476/2411)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:
      spi: 0xFDF4294A(4260637002)
        transform: ah-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 2001, flow_id: FPGA:1, sibling_flags 80000076, crypto map: mpr-vtk-map
        sa timing: remaining key lifetime (k/sec): (4487476/2411)
        replay detection support: Y
        Status: ACTIVE

     inbound pcp sas:
      spi: 0xD249(53833)
        transform: comp-lzs ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 2001, flow_id: FPGA:1, sibling_flags 80000076, crypto map: mpr-vtk-map
        sa timing: remaining key lifetime (k/sec): (4487476/2411)
        replay detection support: Y
        Status: ACTIVE

     outbound esp sas:
      spi: 0x35BD59A1(901601697)
        transform: esp-256-aes ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 2002, flow_id: FPGA:2, sibling_flags 80000076, crypto map: mpr-vtk-map
        sa timing: remaining key lifetime (k/sec): (4487471/2411)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:
      spi: 0xFC573A77(4233575031)
        transform: ah-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 2002, flow_id: FPGA:2, sibling_flags 80000076, crypto map: mpr-vtk-map
        sa timing: remaining key lifetime (k/sec): (4487471/2411)
        replay detection support: Y
        Status: ACTIVE

     outbound pcp sas:
      spi: 0x7882(30850)
        transform: comp-lzs ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 2002, flow_id: FPGA:2, sibling_flags 80000076, crypto map: mpr-vtk-map
        sa timing: remaining key lifetime (k/sec): (4487471/2411)
        replay detection support: Y
        Status: ACTIVE

right 2801:

show cry isa sa
dst src state conn-id slot status
192.168.107.1 A.80.32.213 QM_IDLE 9 0 ACTIVE

interface: FastEthernet0/0
Crypto map tag: mpr-vtk-map, local addr 192.168.107.1

   protected vrf: (none)
   local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/47/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/47/0)
   current_peer 88.80.32.213 port 4500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 5, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 192.168.107.1, remote crypto endpt.: A.80.32.213
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: 0x4D6FFB0E(1299184398)

     inbound esp sas:
      spi: 0x35BD59A1(901601697)
        transform: esp-256-aes ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 3004, flow_id: FPGA:4, crypto map: mpr-vtk-map
        sa timing: remaining key lifetime (k/sec): (4579927/2253)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:
      spi: 0xFC573A77(4233575031)
        transform: ah-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 3004, flow_id: FPGA:4, crypto map: mpr-vtk-map
        sa timing: remaining key lifetime (k/sec): (4579927/2253)
        replay detection support: Y
        Status: ACTIVE

     inbound pcp sas:
      spi: 0x7882(30850)
        transform: comp-lzs ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 3004, flow_id: FPGA:4, crypto map: mpr-vtk-map
        sa timing: remaining key lifetime (k/sec): (4579927/2253)
        replay detection support: Y
        Status: ACTIVE

     outbound esp sas:
      spi: 0x4D6FFB0E(1299184398)
        transform: esp-256-aes ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 3003, flow_id: FPGA:3, crypto map: mpr-vtk-map
        sa timing: remaining key lifetime (k/sec): (4579926/2253)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:
      spi: 0xFDF4294A(4260637002)
        transform: ah-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 3003, flow_id: FPGA:3, crypto map: mpr-vtk-map
        sa timing: remaining key lifetime (k/sec): (4579926/2253)
        replay detection support: Y
        Status: ACTIVE

     outbound pcp sas:
      spi: 0xD249(53833)
        transform: comp-lzs ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 3003, flow_id: FPGA:3, crypto map: mpr-vtk-map
        sa timing: remaining key lifetime (k/sec): (4579926/2252)
        replay detection support: Y
        Status: ACTIVE

Thank you!

dm · ‎07-22-2010

btw, all works OK, if 2801 has real ip on it's interface (tested on different 2801, but on the same 3845).

so problem is somewhere in nat...

dm · ‎07-23-2010

and, as i see in monitor capture there are udp encapsulated esp packets, but they are just not decoded.

looks like ios bug as usual :-)

mireynol · ‎07-23-2010

First off since behind a NAT, can you configure your transform set to "mode transport"? Do this on both sides and clear the tunnels and see if the behavior changes.

config t

crypto ipsec transform-set mpr-vtk ah-sha-hmac esp-aes 256 comp-lzs

mode transport

I have also seen some issues with using ah and esp, but if memory serves me right it didn't affect these platforms.

dm · ‎07-25-2010

Hello!

I tried mode trunsport, result is the same :-(