Contivity Client failed to establish a connection

mgeelen · ‎12-23-2007

Hello,

I have configured a Cisco 870 to connect a cisco VPN Client installed on my private laptop into my network.

This connection works fine.

Now I have a notebook (from my company), on this notebook is a contivity vpn-client installed.

I am not able to establish a secure connection out of my LAN via this contivity client into my company.

I

While establishing the connection I see following lines in my router log

Dec 22 17:54:44: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for

destaddr=xxx.xxx.xxx.xxx, prot=50, spi=0x1C59F1(1858033), srcaddr=xxx.xxx.xxx.xxx

Danilo Dy · ‎12-23-2007

Hi,

Here's the explanation for the error and recommended action.

Explanation

A received IPSec packet specifies an SPI that does not exist in SADB. This may be a temporary condition because of slight differences in the aging of SAs between the IPSec peers or because the local SAs have been cleared. It may also be caused by invalid packets sent by the IPSec peer. This activity could be considered a hostile event.

Recommended Action

If the local SAs have been cleared, the peer may not know. In this case, if a new connection is established from the local router, the two peers may reestablish successfully. If the problem occurs for more than a brief period, either attempt to establish a new connection or contact the peer administrator.

Regards,

Dandy

mgeelen · ‎12-23-2007

Hi,

yes I have read this article. But what I not understand is, this packets only have to pass through this router, they are not destined for the router.

Why does the crypto engine look into this packets, destined for a client in my LAN ?