Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
508
Views
0
Helpful
4
Replies

Problem in deploying an IPsec manual tunnel towards a foreign node

reggiani
Level 1
Level 1

‎05-16-2003 04:53 AM - edited ‎02-21-2020 12:32 PM

We're deploying an IPSec tunnel in manual mode (without IKE) between a Cisco router 1751 and an Ericsson remote node.

We've disabled the VPN card (command "no crypto engine accelerator", since that there are several bugs not yet fixed with encryption cards in manual mode).

When the remote node tries to convey packets inside the tunnel towards the router, debugging (crypto engine enabled) shows a message such as "invalid SPI", but the SPI shown in the log message is the same as the SPI configured in the router

Labels:
0 Helpful
4 Replies 4

a.lysyuk
Level 1
Level 1

‎05-29-2003 10:37 PM

Hello.

Do you have any NAT devices in the path between Cisco router 1715 and Ericsson remote node?

0 Helpful

reggiani
Level 1
Level 1
In response to a.lysyuk

‎05-29-2003 11:47 PM

Unfortunatelly I cannot give you a sure response, since that the remote node is located inside a foreign provider network.

Anyway, the packet comes from internet towards the 1751, and by means of a sniffer I've checked that:

-the source IP address of the packet is the same as the one configured as the remote peer in the configuration of the router for that crypto map

-the destination IP address of the packet is the same as the one configured as ip address on the public interface of the 1751 (where there is the crypto map applied)

-the ESP encapsulation (protocol number 50) of the incoming packet is correct

-the incoming SPI is the same as the one configured in the router for that crypto map

in spite of that, the debugging message shows all parameters correct, but also SPI invalid

bye, Andrea

0 Helpful

mnaveen
Level 1
Level 1

‎05-29-2003 11:41 PM

Hi,

If the received IPSec packet specifies SPI that does not exist in SADB. This may be a temporary condition due to slight differences in aging of SAs between the IPSec peers, or it may be because the local SAs have been cleared. It may also be because of incorrect packets sent by the IPSec peer. This may also be an attack.

The proposed action

----------------------------

The peer may not acknowledge that the local SAs have been cleared. If a new connection is established from the local router, the two peers may then reestablish successfully. Otherwise, if the problem occurs for more than a brief period, either attempt to establish a new connection or contact the peer's administrator.

Regards,

Naveen

mnaveen@cisco.com

0 Helpful

reggiani
Level 1
Level 1
In response to mnaveen

‎05-30-2003 12:03 AM

The mode of IPsec is manual, so lifetime of SAs is infinite.

Anyway, a new bug ID has been created for this problem, the code is CSCea69097.

In the bug descritpion there is a workaround explained, but at the moment that doesn't work yet......

0 Helpful
Customers Also Viewed These Support Documents