Showing results for 
Search instead for 
Did you mean: 

Community Helping Community


VPN CLient behind a Router does not work

Hello everybody!

Situation description:

Cisco 2811 router is gateway to internet.

the dialer interface is nat outside.

There is also a vpn site-2-site connection.


user wants to connect from inside with a vpn client to a external side.

vpn connection is established, but no data goes through this connection.

On the Cisco router I see this message in the log:

May 8 09:44:24.123 CEST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=, prot=50, spi=0x7B9200C8(2073166024), srcaddr=

So It seems like NAT does not work for this?

I configured the router with the SDM.

Here's the config:

version 12.4

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2


crypto isakmp policy 2

encr 3des

hash md5

authentication pre-share

group 2

lifetime 28800

crypto isakmp key xxx address



crypto ipsec transform-set IPSEC_Proposal_Gateprotect esp-3des esp-md5-hmac


crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to222.222.222.2222

set peer

set transform-set IPSEC_Proposal_Gateprotect

match address 100





interface FastEthernet0/0

description $ETH-WAN$

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

duplex auto

speed auto

pppoe enable group global

pppoe-client dial-pool-number 1

no cdp enable

no mop enabled


interface FastEthernet0/0/0

switchport access vlan 2


interface Vlan2

ip address

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1412


interface Dialer0

ip address negotiated

ip mtu 1452

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap callin

ppp chap hostname

ppp chap password xxx

crypto map SDM_CMAP_1


ip route Dialer0



ip nat inside source static tcp 1723 interface Dialer0 1723

ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload

ip nat inside source static tcp 25 interface Dialer0 25

ip nat inside source static tcp 80 interface Dialer0 80


access-list 1 remark SDM_ACL Category=2

access-list 1 permit

access-list 100 remark SDM_ACL Category=4

access-list 100 remark IPSec Rule

access-list 100 permit ip

access-list 101 deny ip

access-list 101 permit ip any

access-list 101 permit ip any

dialer-list 1 protocol ip permit


route-map SDM_RMAP_1 permit 1

match ip address 101



Any hints?

Kind regards



Re: VPN CLient behind a Router does not work

This error occurs when the peer may not acknowledge that the local SAs have been cleared. If a new connection is established from the local router, the two peers can then reestablish successfully. I think you will have to reenter preshare keys manually. Enter these commands:

isakmp nat

sysopt connection tcpmss 1300

This error also may appear when there is an attack from outside. Following link may help you


Re: VPN CLient behind a Router does not work


Thanks for your answer!

The problem is not the VPN site-2-site connection which is made by the Router itself, it is that a user inside the local network can not use a VPN connection with some Client from his workstation.

When the user starts HIS VPN connection, then it looks like established, but there is no data flow.

And on the router I see this error message

no valid SA found.

Maybe it is a problem, when the router makes a site-2site vpn and NAT outside on the same interface?




Re: VPN CLient behind a Router does not work


I'm working on the same problem.

I have Routers with a L2L VPN for management and clients behind the router establishing VPN to central site.

Sometimes the management VPN gets lost and if I take a look to "sh ip nat trans" I can see that there are two nat translations:

(roIP=router outside IP, cLIP=client LAN IP, csVPNg=central site VPN gateway)

Pro Inside global Inside local Outside local Outside global

udp roIP:500 cLIP:500 csVPNg:500 csVPNg:500

udp roIP:4500 cLIP:4500 csVPNg:4500 csVPNg:4500

This naturally collides with the routers management VPN connection from roIP:500 to csVPNg:500.

Astonishing is that it works for a certain time.

Until now I didn't find a solution.

The only thing I have in mind is to change the routers VPN to another UDP-Port or TCP.

But maybe there's an easier solution?



Re: VPN CLient behind a Router does not work


My problem was a IOS software bug, with the 12.4(13).

I used another version and this works without a problem.


CreatePlease to create content
Content for Community-Ad
FusionCharts will render here