Bat I have a problem: VPN is not rising up from router which behind the NAT, and rising up from another site. Can anybody help me to resolve this problem?
debug crypto ipsec
debug crypto isakmp
no access-list 120
access-list 120 permit ip host 192.168.34.1 host 192.168.11.7
no ip access-list extended VPN
ip access-list extended VPN
permit ip host 192.168.11.7 host 192.168.34.1
so... Was it working?
try to add on both sides
ctypto isakmp keepalive 10
crypto isakmp invalid-spi-recovery
after that do
clear crypto sa
clear crypto isa sa
Yes I have added crypto isakmp invalid-spi-recovery previously
and vpn tunnel worked, bat in scheme http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008045a2d2.shtml no crypto isakmp invalid-spi-recovery What do this line? How mach this config safe and stable?
Yes I have read this guid and this confuse me
If an IKE SA is being initiated to notify an IPSec peer of an "Invalid SPI" error, there is the risk that a denial-of-service (DoS) attack can occur. The feature has a built-in mechanism to minimize such a risk, but because there is a risk, the feature is not enabled by default. You must enable the command using command-line interface (CLI).
Can vpn work without crypto isakmp invalid-spi-recovery? I think c871 don't detect NAT