Solved: Re: Drop-reason: (ipsec-spoof) IPSEC Spoof detected

anshubathla · ‎05-15-2013

What can be thepossible reasons for (ipsec-spoof) IPSEC Spoof detected .

I have checked with packet tracer(as below) for the incoming VPN traffic on firewall and got this error

packet tracer input outside tcp 192.168.10.2 1234 10.10.10.2 80

Also I can see number decrpt packet counts are increasing but encrypt count are zero.

Please help me to resolve this.

malshbou · ‎05-15-2013

The packet-tracer command you showed doesn't actually simulate VPN traffic; packet-tracer simulates packets as ingressing the ASA from the wire, which is in your case the encrypted packets (with tunnel endpoints source/destination IPs). so, this drop-reason doesn't actually reflect your problem.

i believe that you should trace the packets in the encryption path(routing, NAT, crypto ACL overlaps..) since you can find decaps but no encaps.

Hope this helps

------------------
Mashal Alshboul

------------------ Mashal Shboul

View solution in original post

malshbou · ‎05-15-2013

The packet-tracer command you showed doesn't actually simulate VPN traffic; packet-tracer simulates packets as ingressing the ASA from the wire, which is in your case the encrypted packets (with tunnel endpoints source/destination IPs). so, this drop-reason doesn't actually reflect your problem.

i believe that you should trace the packets in the encryption path(routing, NAT, crypto ACL overlaps..) since you can find decaps but no encaps.

Hope this helps

------------------
Mashal Alshboul

------------------ Mashal Shboul

anshubathla · ‎05-15-2013

Thanks for the explanation....let me explain you my senerio

inside host ip 10.10.10.2 (directly connected to inside network)which is static Nat to 172.168.10.2

static (inside,outside) 172.168.10.2 10.10.10.2 netmask 255.255.255.255

Encrption ACL.

access-list vpnytraffic extended permit ip 172.168.10.0 255.255.255.0 192.168.10.0 255.255.255.0

if from other VPN peer host traffic is initiated by 192.168.10.2 to 172.168.10.2 then in show crypto ipsec sa I can see the decrpt count are increaing but decrypt packet count are not increasing.that means return traffic is not working .?

I can ping the 10.10.10.2 from the firewall.

Network 172.168.10.0/24 and 192.168.10.0/24 are routed to outside by default route .

Please let me know if I am missing any configuration step in this.

malshbou · ‎05-15-2013

please get the following:

- packet-tracer input inside icmp 10.10.10.2 8 0 192.168.10.2

- cap capin interface inside match icmp host 10.10.10.2 host 192.168.10.2

cap asp type asp-drop match all

then run a continuous ping from the VPN peer (192.168.10.2 to 172.168.10.2), and get "show cap capin" and "show cap asp"

please make sure that 10.10.10.2 has correct route 192.168.10.0 with the ASA inside interface as next-hop (gateway)

Hope this helps

------------------
Mashal Alshboul

------------------ Mashal Shboul

anshubathla · ‎05-16-2013

Hi Mashal,

Thanks for the help ,issue has been resolved

SukeshP · ‎01-18-2021

what change was done to get it fixed

Prashobcv93 · ‎07-12-2021

Hi,
What was the change made?
Or else this discussion won't be complete.
I am also waiting for the resolution.

JamesPost · ‎08-27-2024

I had this issue, but was able to get past the ipsec-spoof message by adding decrypted detailed to the end of the packet-tracer command:

packet-tracer input [source zone] icmp [source] 8 0 [destination] decrypted detailed

Hope this helps.