cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5100
Views
5
Helpful
3
Replies

IPSec Spoof Detected error on VPN route

GrahamB_SEMC
Level 1
Level 1

I'm trying to set up a new VPN user/group/policy to replace a flawed old version that used IP addresses from the same pool as the inside VLAN. As of right now I have most things configured but am unable to establish a connection to a service host on the inside VLAN with the new configuration. The old configuration works fine. Other services like RDP are working fine on the new configuration.

I *thought* that I had everything configured to use the new IP addresses in ACL lists, NAT Excemptions and the like but must have a conflict or missing rule somewhere I can't spot. Using the packet tracer everything works except when I test 192.168.16.x -> 192.168.15.x on interface outside, it says "IPSEC Spoof Detected" as the reason for dropping packets. When attempting to establish the connection there is no errors, just "Built inbound TCP..." followed by "Teardown TCP... SYN Timeout 00:30"

For the record the 192.168.16.100-150 pool is the correct VPN address pool.

Once I have it working 100% I'd like to remove the 192.168.15.200-250 pool from the ASDM configuration.

My configurations:

: Saved

:

ASA Version 8.2(5)

!

hostname SEMC-TEST

enable password D37rIydCZ/bnf1uj encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

name 192.168.15.0 192.168.15.0 description Internal Network devices

ddns update method DDNS_Update

ddns both

interval maximum 0 4 0 0

!

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

description VLAN to inside hosts

nameif inside

security-level 100

ddns update hostname 0.0.0.0

ddns update DDNS_Update

dhcp client update dns server both

ip address 192.168.15.1 255.255.255.0

!

interface Vlan2

description External VLAN to internet

nameif outside

security-level 0

ip address xx.xx.xx.xx 255.255.255.248

!

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

dns domain-lookup inside

dns server-group DefaultDNS

name-server 216.221.96.37

name-server 8.8.8.8

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group service DM_INLINE_TCP_1 tcp

port-object eq www

port-object eq https

access-list outside_access_in extended permit icmp any any

access-list outside_access_in extended permit ip 192.168.16.0 255.255.255.0 any

access-list outside_access_in extended permit ip 192.168.15.192 255.255.255.192 any

access-list outside_access_in extended permit ip 192.168.15.0 255.255.255.0 192.168.16.0 255.255.255.0

access-list Remote_test_splitTunnelAcl standard permit 192.168.15.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.15.0 255.255.255.0 192.168.15.192 255.255.255.192

access-list inside_nat0_outbound extended permit ip 192.168.15.0 255.255.255.0 192.168.16.0 255.255.255.0

access-list inside_access_in extended permit ip 192.168.15.192 255.255.255.192 any

access-list inside_access_in extended permit ip interface inside interface inside

access-list inside_access_in extended permit ip any 192.168.15.192 255.255.255.192

access-list inside_access_in extended permit icmp any any

access-list inside_access_in extended permit ip any 192.168.16.0 255.255.255.0

access-list inside_access_in extended permit ip 192.168.16.0 255.255.255.0 any

access-list inside_access_in remark Block Internet Traffic

access-list inside_access_out extended permit icmp 192.168.15.0 255.255.255.0 any

access-list inside_access_out extended permit ip 192.168.15.192 255.255.255.192 any

access-list inside_access_out extended permit ip 192.168.15.0 255.255.255.0 192.168.15.192 255.255.255.192

access-list inside_access_out extended permit ip 192.168.16.0 255.255.255.0 any

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool VPN_IP_Alt 192.168.16.100-192.168.16.150 mask 255.255.255.0

ip local pool VPN_IP_Pool 192.168.15.200-192.168.15.250 mask 255.255.255.0

ipv6 access-list inside_access_ipv6_in permit ip interface inside interface inside

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit any echo-reply inside

icmp permit any echo-reply outside

icmp permit any outside

no asdm history enable

arp timeout 14400

nat-control

global (inside) 2 interface

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound_2

access-group inside_access_in in interface inside

access-group inside_access_ipv6_in in interface inside

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.15.0 255.255.255.0 inside

http 192.168.16.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

management-access inside

dhcpd auto_config outside

!

dhcpd address 192.168.15.200-192.168.15.250 inside

dhcpd enable inside

!

no threat-detection basic-threat

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ntp server 192.168.15.101 source inside

ntp server 192.168.15.100 source inside prefer

webvpn

group-policy Remote_test_Alt internal

group-policy Remote_test_Alt attributes

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Remote_test_splitTunnelAcl

group-policy Remote_test internal

group-policy Remote_test attributes

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Remote_test_splitTunnelAcl

username StockUser password t6a0Nv8HUfWtUdKz encrypted privilege 0

username StockUser attributes

vpn-group-policy Remote_test

username StockUser2 password t6a0Nv8HUfWtUdKz encrypted privilege 0

username StockUser2 attributes

vpn-group-policy Remote_test_Alt

tunnel-group Remote_test type remote-access

tunnel-group Remote_test general-attributes

address-pool VPN_IP_Pool

default-group-policy Remote_test

tunnel-group Remote_test ipsec-attributes

pre-shared-key *****

tunnel-group Remote_test2 type remote-access

tunnel-group Remote_test2 general-attributes

address-pool VPN_IP_Alt

default-group-policy Remote_test_Alt

tunnel-group Remote_test2 ipsec-attributes

pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect icmp

  inspect icmp error

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:834543b67beaaa65578d8032d7d272c3

: end

3 Replies 3

harshisi_2
Level 1
Level 1

Hi Graham,

If you are running packet tracer from outside to inside it will always fail as it can not replicate the encrypted packet and associated SA. Try sending the actual traffic from vpn client and let me know if it works

Regards
~Harry


Sent from Cisco Technical Support Android App

Harry,

I appreciate the reply and apologise for taking so long to respond myself. When trying to connect to the service it still fails, I was using the Packet Tracer as a quicker means of testing.

However, after further investigation Friday I believe the issue I am having may be with the service itself. It is a specialized device which, after reviewing its routing table has no route for 192.168.16.x addresses. I cannot update this configuration without scheduling a critical downtime hopefully within the next week.

Again I appreciate the response but unfortunately my issue might not have to do with the VPN configuration at all!

Thanks Graham,

Let me know in case you ever need my help

~Harry

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: