Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

nat transparency and %CRYPTO-4-RECVD_PKT_INV_SPI

101 views
Skip to first unread message

Dmitry Melekhov

unread,
Jul 21, 2010, 4:55:58 AM7/21/10
to
Hello!

I need to establish vpn connection over internet.

On one side I have cisco 3845 which is directly connected to internet.

On another side I have 2801, which is behind zyxel adsl modem in
router mode (i.e. real ip is on modem, modem do nat for cisco).

sh crypto sess on 2801:

Interface: FastEthernet0/0
Session status: UP-ACTIVE
Peer: 78.85.33.237 port 4500
IKE SA: local 192.168.107.1/4500 remote 78.85.133.237/4500 Active
IPSEC FLOW: permit 47 0.0.0.0/0.0.0.0 host 78.85.133.237
Active SAs: 6, origin: crypto map

sh crypto sess on 3845:

Interface: Serial3/0.200
Session status: UP-ACTIVE
Peer: 78.85.37.90 port 10017
IKE SA: local 78.85.133.237/4500 remote 78.85.137.90/10017 Active
IPSEC FLOW: permit 47 host 78.85.133.237 0.0.0.0/0.0.0.0
Active SAs: 6, origin: crypto map

But traffic doesn't pass.

I see the same error on both sides:

%CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid
spi for destaddr=192.168.107.1, prot=17, spi=0x32040000(839122944),
srcaddr=78.85.133.237

NAT-T is on:

crypto ipsec nat-transparency udp-encapsulation

Could you tell me how can I solve this problem?

bod43

unread,
Jul 21, 2010, 7:54:19 AM7/21/10
to
On 21 July, 09:55, Dmitry Melekhov <d...@belkam.com> wrote:

> Could you tell me how can I solve this problem?

No:)

This does work, I have done it using Pixes:-) I
don't recall any special problems. I was working
remotely and was under pressure to get it to go.
Boss- our new DSL (in a city 2 countries away)
goes live tonight can you reconfigure the firewall. Oh
by the way, the old one dies at the same time. !!!!!!!!!!!!!!!


Here is a complete example.
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094bff.shtml

It uses a tunnel which may not be what you want but
either the example may help you or of course you could
just use the tunnel too; if you have a sufficiently recent
IOS.

Igor Mamuzić aka Pseto

unread,
Jul 23, 2010, 7:45:34 AM7/23/10
to

Can you post 'show crypto ipsec sa' from both routers?

btw. Can you use Zyxel as bridge only and do PPPoE on Cisco side? I
strongly recommend this.You will get much more rock-proof stable
connection. Try to avoid double routing/NAT on small business
installations when ever possible.

i

0 new messages