Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN CLient behind a Router does not work

Hello everybody!

Situation description:

Cisco 2811 router is gateway to internet.

the dialer interface is nat outside.

There is also a vpn site-2-site connection.


user wants to connect from inside with a vpn client to a external side.

vpn connection is established, but no data goes through this connection.

On the Cisco router I see this message in the log:

May 8 09:44:24.123 CEST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=, prot=50, spi=0x7B9200C8(2073166024), srcaddr=

So It seems like NAT does not work for this?

I configured the router with the SDM.

Here's the config:

version 12.4

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2


crypto isakmp policy 2

encr 3des

hash md5

authentication pre-share

group 2

lifetime 28800

crypto isakmp key xxx address



crypto ipsec transform-set IPSEC_Proposal_Gateprotect esp-3des esp-md5-hmac


crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to222.222.222.2222

set peer

set transform-set IPSEC_Proposal_Gateprotect

match address 100





interface FastEthernet0/0

description $ETH-WAN$

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

duplex auto

speed auto

pppoe enable group global

pppoe-client dial-pool-number 1

no cdp enable

no mop enabled


interface FastEthernet0/0/0

switchport access vlan 2


interface Vlan2

ip address

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1412


interface Dialer0

ip address negotiated

ip mtu 1452

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap callin

ppp chap hostname

ppp chap password xxx

crypto map SDM_CMAP_1


ip route Dialer0



ip nat inside source static tcp 1723 interface Dialer0 1723

ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload

ip nat inside source static tcp 25 interface Dialer0 25

ip nat inside source static tcp 80 interface Dialer0 80


access-list 1 remark SDM_ACL Category=2

access-list 1 permit

access-list 100 remark SDM_ACL Category=4

access-list 100 remark IPSec Rule

access-list 100 permit ip

access-list 101 deny ip

access-list 101 permit ip any

access-list 101 permit ip any

dialer-list 1 protocol ip permit


route-map SDM_RMAP_1 permit 1

match ip address 101



Any hints?

Kind regards



Re: VPN CLient behind a Router does not work

This error occurs when the peer may not acknowledge that the local SAs have been cleared. If a new connection is established from the local router, the two peers can then reestablish successfully. I think you will have to reenter preshare keys manually. Enter these commands:

isakmp nat

sysopt connection tcpmss 1300

This error also may appear when there is an attack from outside. Following link may help you

New Member

Re: VPN CLient behind a Router does not work


Thanks for your answer!

The problem is not the VPN site-2-site connection which is made by the Router itself, it is that a user inside the local network can not use a VPN connection with some Client from his workstation.

When the user starts HIS VPN connection, then it looks like established, but there is no data flow.

And on the router I see this error message

no valid SA found.

Maybe it is a problem, when the router makes a site-2site vpn and NAT outside on the same interface?



New Member

Re: VPN CLient behind a Router does not work


I'm working on the same problem.

I have Routers with a L2L VPN for management and clients behind the router establishing VPN to central site.

Sometimes the management VPN gets lost and if I take a look to "sh ip nat trans" I can see that there are two nat translations:

(roIP=router outside IP, cLIP=client LAN IP, csVPNg=central site VPN gateway)

Pro Inside global Inside local Outside local Outside global

udp roIP:500 cLIP:500 csVPNg:500 csVPNg:500

udp roIP:4500 cLIP:4500 csVPNg:4500 csVPNg:4500

This naturally collides with the routers management VPN connection from roIP:500 to csVPNg:500.

Astonishing is that it works for a certain time.

Until now I didn't find a solution.

The only thing I have in mind is to change the routers VPN to another UDP-Port or TCP.

But maybe there's an easier solution?


New Member

Re: VPN CLient behind a Router does not work


My problem was a IOS software bug, with the 12.4(13).

I used another version and this works without a problem.