ipsec vpn error

tolinrome tolinrome · ‎06-04-2014

vpn is up and established but receiving this error? Where is the problem? Thanks.
IPSEC: Received an ESP packet from 22.23.24.25 (user= 22.23.24.25) to 22.23.24.26. The decapsulated inner packet doesn't match the negotiated policy in the SA. The packet specifies its destination as 1.1.1.1., its source as 10.10.10.5, and its protocol as tcp. The SA specifies its local proxy as 10.0.0.0/255.0.0.0/ip/0 and its remote_proxy as 10.10.10.0/255.255.255.0/ip/0.

Marvin Rhoads · ‎06-04-2014

The crypto map / access-list at their end says to route packets for address 1.1.1.1 to your end of the VPN.

Your map doesn't match and your IPSec SAs don't include that network in the local identities, thus the error.

tolinrome tolinrome · ‎06-04-2014

Thats what I determined as well about the packet has a destination of 1.1.1.1, but it seems to be using the tunnel, which I do not want. I only want the 10.0.0.0 going through the tunnel and all else straight out.

On the remote asa I have the source network as 10.10.10.0 and destination as 10.0.0.0 - so how woudl I fix this?

Marvin Rhoads · ‎06-04-2014

Something is not correctly setup at the remote end as it believes that packet should be encapsulated and sent across the tunnel.

If it's an ASA that you control, you can try seeing what's going on by using packet-tracer (reference) as follows:

packet-tracer input inside tcp 10.10.10.5 1025 1.1.1.1 80 detailed

(I assume the distant end inside interface is named "inside". If not, substitute the actual nameif. I also used port 80 destination just as a point of reference, if you have any more detailed information on the destination port, you may use that.)