I have a situation where I would like to allow clients on the inside of my network to VPN to other 3rd parties (the clients will get NATed to the outside interface of the router), while at the same time there are site-to-site VPNs to others. When I configure it the router logs %CRYPTO-4-RECVD_PKT_INV_SPI when the client tries to connect to the remote VPN server, which I assume is because the router is trying to decrypt the packet rather than forwarding it to the internal client that sent.
It's normal to see this Invalid SPI message once a few hours because of the IPSec Phase 2 rekey, unless you face lot of connectivity issues. If you are only getting these messages occasionaly, it is usually because the SA is being renegotiated. This periodic renegotiation of SAs is, itself, a security feature designed to make the environment more robust so the occasional appearance of these messages is normal.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...