Cisco 2811 router is gateway to internet.
the dialer interface is nat outside.
There is also a vpn site-2-site connection.
user wants to connect from inside with a vpn client to a external side.
vpn connection is established, but no data goes through this connection.
On the Cisco router I see this message in the log:
May 8 09:44:24.123 CEST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=188.8.131.52, prot=50, spi=0x7B9200C8(2073166024), srcaddr=184.108.40.206
So It seems like NAT does not work for this?
I configured the router with the SDM.
Here's the config:
crypto isakmp policy 1
crypto isakmp policy 2
crypto isakmp key xxx address 220.127.116.112
crypto ipsec transform-set IPSEC_Proposal_Gateprotect esp-3des esp-md5-hmac
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to18.104.22.1682
set peer 22.214.171.1242
set transform-set IPSEC_Proposal_Gateprotect
match address 100
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
pppoe enable group global
pppoe-client dial-pool-number 1
no cdp enable
no mop enabled
switchport access vlan 2
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip tcp adjust-mss 1412
ip address negotiated
ip mtu 1452
ip nat outside
dialer pool 1
ppp authentication chap callin
ppp chap hostname firstname.lastname@example.org
ppp chap password xxx
crypto map SDM_CMAP_1
ip route 0.0.0.0 0.0.0.0 Dialer0
ip nat inside source static tcp 192.168.2.10 1723 interface Dialer0 1723
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
ip nat inside source static tcp 192.168.2.199 25 interface Dialer0 25
ip nat inside source static tcp 192.168.2.10 80 interface Dialer0 80
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit ip 192.168.2.0 0.0.0.255 any
access-list 101 permit ip 192.168.6.0 0.0.0.255 any
dialer-list 1 protocol ip permit
route-map SDM_RMAP_1 permit 1
match ip address 101
This error occurs when the peer may not acknowledge that the local SAs have been cleared. If a new connection is established from the local router, the two peers can then reestablish successfully. I think you will have to reenter preshare keys manually. Enter these commands:
sysopt connection tcpmss 1300
This error also may appear when there is an attack from outside. Following link may help you
Thanks for your answer!
The problem is not the VPN site-2-site connection which is made by the Router itself, it is that a user inside the local network can not use a VPN connection with some Client from his workstation.
When the user starts HIS VPN connection, then it looks like established, but there is no data flow.
And on the router I see this error message
no valid SA found.
Maybe it is a problem, when the router makes a site-2site vpn and NAT outside on the same interface?
I'm working on the same problem.
I have Routers with a L2L VPN for management and clients behind the router establishing VPN to central site.
Sometimes the management VPN gets lost and if I take a look to "sh ip nat trans" I can see that there are two nat translations:
(roIP=router outside IP, cLIP=client LAN IP, csVPNg=central site VPN gateway)
Pro Inside global Inside local Outside local Outside global
udp roIP:500 cLIP:500 csVPNg:500 csVPNg:500
udp roIP:4500 cLIP:4500 csVPNg:4500 csVPNg:4500
This naturally collides with the routers management VPN connection from roIP:500 to csVPNg:500.
Astonishing is that it works for a certain time.
Until now I didn't find a solution.
The only thing I have in mind is to change the routers VPN to another UDP-Port or TCP.
But maybe there's an easier solution?