02-08-2014 03:41 PM - edited 02-21-2020 07:29 PM
I run a 2821 running c2800nm-adventerprisek9-mz.124-22.YB8 at home with 2 gre over IPSec tunnels for personal use, and my desktop will run an IPSec based VPN client to connect to the corporate VPN. My issue is that when I would connect to the corporate VPN, I would see packets being encrypted and sent out but I would never receive packets back. It appears that the IPSec VPN tunnels conflict with the IPSec packets from my desktop and the router attempts to decrypt them and gives this error. (I removed public addresses for anonymity)
CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr="myaddress", prot=50, spi=0xDB32344E(3677500494), srcaddr="corpvpn"
When I remove the crypto map off of the WAN side of the router, my desktop VPN works immediately. I can change the configuration on eiher side of the GRE IPSec tunnels but there is no way for me to change any configuration on the corporate VPN. Does anyone know of a workaround on the cisco router? I can provide any running configs or show commands.
The 2821 is also running NAT overload for internet access.
Solved! Go to Solution.
02-11-2014 12:25 AM
Hello, Reed.
1. Try to remove crypto map from interface and add "tunnel protection ipsec profile ..." to your VTI:
crypto ipsec profile IPSEC
set trans strong
int g0/0
no crypto map map
int tu1
tunnel protection ipsec profile IPSEC
int tu2
tunnel protection ipsec profile IPSEC
2. Try to force your corpVPN to use UDP encapsulation instead of ESP.
02-10-2014 11:07 AM
Hello, Reed.
Could you please provide IPSec and NAT configuration from your router?
What kind of IPSec do you run on you PC? Does it support NAT-T or UDP encapsulation?
02-10-2014 05:38 PM
For your first question, here is the running config (without public IPs or encrypted hashes)
crypto isakmp key 6 peerkey2 address peeraddress2
crypto isakmp key 6 peerkey1 address peeraddress1
!
!
crypto ipsec transform-set strong esp-des esp-md5-hmac
mode transport
crypto ipsec transform-set stronger ah-sha-hmac esp-aes 256 esp-sha-hmac
!
!
!
crypto map map 10 ipsec-isakmp
set peer peeraddress1
set transform-set stronger
match address peer1
crypto map map 20 ipsec-isakmp
set peer peeraddress2
set transform-set strong
match address peer2
ip access-list extended peer1
permit gre host myip host peeraddress1
ip access-list extended peer2
permit gre host myip host peeraddress2
interface Tunnel0
description Peer1
ip address 10.255.255.253 255.255.255.252
ip mtu 1436
ip flow ingress
ip flow egress
ip tcp adjust-mss 1360
cdp enable
tunnel source GigabitEthernet0/0
tunnel destination peeraddress1
!
interface Tunnel1
description Peer2
ip address 10.255.255.249 255.255.255.252
ip mtu 1436
ip flow ingress
ip flow egress
cdp enable
tunnel source GigabitEthernet0/0
tunnel destination peeraddress2
interface GigabitEthernet0/0
bandwidth 6000
bandwidth receive 35000
ip address dhcp
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly
logging event subif-link-status ignore-bulk
load-interval 30
duplex auto
speed auto
no cdp enable
crypto map map
service-policy output PROFILE-01
interface GigabitEthernet0/1
description LAN
no ip address
ip flow ingress
ip flow egress
logging event subif-link-status ignore-bulk
duplex auto
speed auto
service-policy input MARK-COS
!
interface GigabitEthernet0/1.1
description Data
encapsulation dot1Q 1 native
ip address 192.168.177.2 255.255.255.0
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
!
interface GigabitEthernet0/1.2
description Voice
encapsulation dot1Q 2
ip address 172.31.177.1 255.255.255.0
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
ip nat inside source list NAT interface GigabitEthernet0/0 overload
ip access-list extended NAT
permit ip 10.0.0.0 0.255.255.255 any
permit ip 172.16.0.0 0.15.255.255 any
permit ip 192.168.0.0 0.0.255.255 any
My VPN client is the linux implementation vpnc, I believe that it supports both NAT-T and UDP.
02-11-2014 12:25 AM
Hello, Reed.
1. Try to remove crypto map from interface and add "tunnel protection ipsec profile ..." to your VTI:
crypto ipsec profile IPSEC
set trans strong
int g0/0
no crypto map map
int tu1
tunnel protection ipsec profile IPSEC
int tu2
tunnel protection ipsec profile IPSEC
2. Try to force your corpVPN to use UDP encapsulation instead of ESP.
02-11-2014 04:14 AM
I made the crypto changes as you suggested and it appears to be working without a hitch, I connected and disconnected from the VPN several times and I was not able to recreate the issue.
02-10-2014 01:32 PM
even i had these kind of issue it is called has blackedholed to we have to wait untill the SA expir on the sending device.
for more information check this link.
www.cisco.com/image/gif/paws/115801/115801-ipsec-spi-errors-technologies_tech_note-00.pdf
02-10-2014 01:34 PM
you can also try out this command
crypto isakmp invalid-spi-recovery
anyway read the document and you will get the correct information
www.cisco.com/image/gif/paws/115801/115801-ipsec-spi-errors-technologies_tech_note-00.pdf
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide