Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

ipsec vpn error

vpn is up and established but receiving this error? Where is the problem? Thanks.
IPSEC: Received an ESP packet from 22.23.24.25 (user= 22.23.24.25) to 22.23.24.26.  The decapsulated inner packet doesn't match the negotiated policy in the SA.  The packet specifies its destination as 1.1.1.1., its source as 10.10.10.5, and its protocol as tcp.  The SA specifies its local proxy as 10.0.0.0/255.0.0.0/ip/0 and its remote_proxy as 10.10.10.0/255.255.255.0/ip/0.

3 REPLIES
Hall of Fame Super Silver

The crypto  map  / access

The crypto  map  / access-list at their end says to route packets for address 1.1.1.1 to your end of the VPN.

Your map doesn't match and your IPSec SAs don't include that network in the local identities, thus the error.

Thats what I determined as

Thats what I determined as well about the packet has a destination of 1.1.1.1, but it seems to be using the tunnel, which I do not want. I only want the 10.0.0.0 going through the tunnel and all else straight out.

On the remote asa I have the source network as 10.10.10.0 and destination as 10.0.0.0 - so how woudl I fix this?

Hall of Fame Super Silver

Something is not correctly

Something is not correctly setup at the remote end as it believes that packet should be encapsulated and sent across the tunnel.

If it's an ASA that you control, you can try seeing what's going on by using packet-tracer (reference) as follows:

packet-tracer input inside tcp 10.10.10.5 1025 1.1.1.1 80 detailed

(I assume the distant end inside interface is named "inside". If not, substitute the actual nameif. I also used port 80 destination just as a point of reference, if you have any more detailed information on the destination port, you may use that.)

266
Views
0
Helpful
3
Replies