Solved: Re: IPSec conflict between IPSec tunnels and corporate VPN

Reed McIntosh · ‎02-08-2014

I run a 2821 running c2800nm-adventerprisek9-mz.124-22.YB8 at home with 2 gre over IPSec tunnels for personal use, and my desktop will run an IPSec based VPN client to connect to the corporate VPN. My issue is that when I would connect to the corporate VPN, I would see packets being encrypted and sent out but I would never receive packets back. It appears that the IPSec VPN tunnels conflict with the IPSec packets from my desktop and the router attempts to decrypt them and gives this error. (I removed public addresses for anonymity)

CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr="myaddress", prot=50, spi=0xDB32344E(3677500494), srcaddr="corpvpn"

When I remove the crypto map off of the WAN side of the router, my desktop VPN works immediately. I can change the configuration on eiher side of the GRE IPSec tunnels but there is no way for me to change any configuration on the corporate VPN. Does anyone know of a workaround on the cisco router? I can provide any running configs or show commands.

The 2821 is also running NAT overload for internet access.

Vasilii Mikhailovskii · ‎02-11-2014

Hello, Reed.

1. Try to remove crypto map from interface and add "tunnel protection ipsec profile ..." to your VTI:

crypto ipsec profile IPSEC

set trans strong

int g0/0

no crypto map map

int tu1

tunnel protection ipsec profile IPSEC

int tu2

tunnel protection ipsec profile IPSEC

2. Try to force your corpVPN to use UDP encapsulation instead of ESP.

View solution in original post

Vasilii Mikhailovskii · ‎02-10-2014

Hello, Reed.

Could you please provide IPSec and NAT configuration from your router?

What kind of IPSec do you run on you PC? Does it support NAT-T or UDP encapsulation?

Reed McIntosh · ‎02-10-2014

For your first question, here is the running config (without public IPs or encrypted hashes)

crypto isakmp key 6 peerkey2 address peeraddress2

crypto isakmp key 6 peerkey1 address peeraddress1

!

crypto ipsec transform-set strong esp-des esp-md5-hmac

mode transport

crypto ipsec transform-set stronger ah-sha-hmac esp-aes 256 esp-sha-hmac

!

crypto map map 10 ipsec-isakmp

set peer peeraddress1

set transform-set stronger

match address peer1

crypto map map 20 ipsec-isakmp

set peer peeraddress2

set transform-set strong

match address peer2

ip access-list extended peer1

permit gre host myip host peeraddress1

ip access-list extended peer2

permit gre host myip host peeraddress2

interface Tunnel0

description Peer1

ip address 10.255.255.253 255.255.255.252

ip mtu 1436

ip flow ingress

ip flow egress

ip tcp adjust-mss 1360

cdp enable

tunnel source GigabitEthernet0/0

tunnel destination peeraddress1

!

interface Tunnel1

description Peer2

ip address 10.255.255.249 255.255.255.252

ip mtu 1436

ip flow ingress

ip flow egress

cdp enable

tunnel source GigabitEthernet0/0

tunnel destination peeraddress2

interface GigabitEthernet0/0

bandwidth 6000

bandwidth receive 35000

ip address dhcp

ip flow ingress

ip flow egress

ip nat outside

ip virtual-reassembly

logging event subif-link-status ignore-bulk

load-interval 30

duplex auto

speed auto

no cdp enable

crypto map map

service-policy output PROFILE-01

interface GigabitEthernet0/1

description LAN

no ip address

ip flow ingress

ip flow egress

logging event subif-link-status ignore-bulk

duplex auto

speed auto

service-policy input MARK-COS

!

interface GigabitEthernet0/1.1

description Data

encapsulation dot1Q 1 native

ip address 192.168.177.2 255.255.255.0

ip flow ingress

ip flow egress

ip nat inside

ip virtual-reassembly

!

interface GigabitEthernet0/1.2

description Voice

encapsulation dot1Q 2

ip address 172.31.177.1 255.255.255.0

ip flow ingress

ip flow egress

ip nat inside

ip virtual-reassembly

ip nat inside source list NAT interface GigabitEthernet0/0 overload

ip access-list extended NAT

permit ip 10.0.0.0 0.255.255.255 any

permit ip 172.16.0.0 0.15.255.255 any

permit ip 192.168.0.0 0.0.255.255 any

My VPN client is the linux implementation vpnc, I believe that it supports both NAT-T and UDP.

Vasilii Mikhailovskii · ‎02-11-2014

Hello, Reed.

1. Try to remove crypto map from interface and add "tunnel protection ipsec profile ..." to your VTI:

crypto ipsec profile IPSEC

set trans strong

int g0/0

no crypto map map

int tu1

tunnel protection ipsec profile IPSEC

int tu2

tunnel protection ipsec profile IPSEC

2. Try to force your corpVPN to use UDP encapsulation instead of ESP.

Reed McIntosh · ‎02-11-2014

I made the crypto changes as you suggested and it appears to be working without a hitch, I connected and disconnected from the VPN several times and I was not able to recreate the issue.

shine pothen · ‎02-10-2014

even i had these kind of issue it is called has blackedholed to we have to wait untill the SA expir on the sending device.

for more information check this link.

www.cisco.com/image/gif/paws/115801/115801-ipsec-spi-errors-technologies_tech_note-00.pdf

shine pothen · ‎02-10-2014

you can also try out this command

crypto isakmp invalid-spi-recovery

anyway read the document and you will get the correct information

www.cisco.com/image/gif/paws/115801/115801-ipsec-spi-errors-technologies_tech_note-00.pdf