Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

Highlighted
New Member

IPSec Spoof problem - SitetoSite

The setup consists of:

Core: 5510 3 Interfaces (Out,In,Partner)

Remote: 5505 with Cable Internet

Our network has a site to site vpn connection to a partner company via a leased line out the partner interface. This has been in place and working for the past couple of months.

We recently added a site-to-site VPN connection to a small remote office. From this office I need to be able to access the core network and also some subnets on the partner network.

I can ping/access everything I need to get to on the core, but the connection going to the partner network seems to be one way. I can get packets comming from their network, but sending packets back they get lost on our core 5510.

On the 5510 I do a packet-tracer and it says "Packet dropped" because of an IPSec Spoof Detected. The funny thing is that if i do the same packet-trace but switch the source interface from outside to inside it says it goes through.

Could this be something to do with the interface security levels? The outside is 0, the inside is 100 and the partner is 90.

I can attach debugs/etc if requested. I'm just hoping someone has ran into a scenario like this before.

Thanks.

4 REPLIES
New Member

Re: IPSec Spoof problem - SitetoSite

Hello,

Can you post your config?

I think you need same-security-traffic permit inter-interface

Thanks.

New Member

Re: IPSec Spoof problem - SitetoSite

I believe I already tried the same-security-traffic command...and nothing. The remote site can access the internal network which has a higher security level then the partner, so i figure it would be pretty much the same case.

Attached is the config with public IPs and psswords removed:

New Member

Re: IPSec Spoof problem - SitetoSite

Sorry..config attached:

New Member

Re: IPSec Spoof problem - SitetoSite

Dear friend!

Please try to change in string

"crypto isakmp policy 5"

setting of Diffie-Hellman (DH) Group to 5:

group 5

It's very important if you are using AES encr.

maybe it is solution%)

591
Views
0
Helpful
4
Replies
作成コンテンツを作成するには してください