Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Problems with VPN Tunnel (IPSEC Spoof)

Hi,

Basically we have a tunnel between two sites (obviously).

We are both on a network on the inside interfaces (there's is 10.20.x.x / 255.255.0.0 and ours is 172.16.0.0)

The tunnel comes up fine. If he then tries to ping me it fails. I have added the ACL rule in for his IP and the destination IP and the error it comes up with iss:

Result (ipsec-spoof) IPSEC Spoof Detected

If the tunnel is down when I do the trace the packet is allowed.

Any ideas - the full trace for the allowed telnet is below:

ASA# packet-tracer input outside tcp 10.20.15.171 25 172.16.4.60 25

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 172.16.0.0 255.255.0.0 inside

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group outside_access_in in interface outside

access-list outside_access_in extended permit tcp host 10.20.15.171 host 172.16.

4.60

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: NAT-EXEMPT

Subtype: rpf-check

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: HOST-LIMIT

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 8

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

nat (inside) 0 access-list outside_nat0_outbound

nat (inside) 1 172.16.0.0 255.255.0.0

match ip inside 172.16.0.0 255.255.0.0 outside any

dynamic translation to pool 1 (82.33.211.83 [Interface PAT])

translate_hits = 198, untranslate_hits = 3

Additional Information:

Phase: 9

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

nat (inside) 0 access-list outside_nat0_outbound

nat (inside) 1 172.16.0.0 255.255.0.0

match ip inside 172.16.0.0 255.255.0.0 inside any

dynamic translation to pool 1 (No matching global)

translate_hits = 0, untranslate_hits = 0

Additional Information:

Phase: 10

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 11

Type: VPN

Subtype: encrypt

Result: ALLOW

Config:

Additional Information:

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (ipsec-spoof) IPSEC Spoof detected

Thanks for looking!

1 REPLY
Silver

Re: Problems with VPN Tunnel (IPSEC Spoof)

You get this message when a packet which is not encrypted is received. Check on other side if you have any ACL configured that is blocking ESP.

1123
Views
0
Helpful
1
Replies