Hi all,
I have had a fun time trying to get a IPSec Tunnel up between two companies. The remote end is behind a PAT device so they are using NAT-T.
To successfully bring up the tunnel, I had to match both the public IP and the Phase 1 ID received from the device its self (which was a different IP).
After working through some issues, we have the tunnel up and staying up (they had PFS active and I didn't).
Now before and after these PFS changes I am still getting the following log messages -
%CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=x.x.x.x, prot=17, spi=0xFFAAF7B7(4289394615), srcaddr=x.x.x.x
Reading the config is this just a sync problem? We have enabled DPD as well to ensure hosts are staying online.
Thanks in advance,
Brad