Problem in deploying an IPsec manual tunnel towards a foreign node
We're deploying an IPSec tunnel in manual mode (without IKE) between a Cisco router 1751 and an Ericsson remote node.
We've disabled the VPN card (command "no crypto engine accelerator", since that there are several bugs not yet fixed with encryption cards in manual mode).
When the remote node tries to convey packets inside the tunnel towards the router, debugging (crypto engine enabled) shows a message such as "invalid SPI", but the SPI shown in the log message is the same as the SPI configured in the router
Re: Problem in deploying an IPsec manual tunnel towards a foreig
If the received IPSec packet specifies SPI that does not exist in SADB. This may be a temporary condition due to slight differences in aging of SAs between the IPSec peers, or it may be because the local SAs have been cleared. It may also be because of incorrect packets sent by the IPSec peer. This may also be an attack.
The proposed action
The peer may not acknowledge that the local SAs have been cleared. If a new connection is established from the local router, the two peers may then reestablish successfully. Otherwise, if the problem occurs for more than a brief period, either attempt to establish a new connection or contact the peer's administrator.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...