cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
465
Views
0
Helpful
3
Replies

Random Public Addresses coming through ESP

booftw
Level 1
Level 1

Setting up a point to point tunnel with a new vendor. We have an ASA and they are using a Juniper. The tunnel is up and established, he's showing 2 way encrypted traffic when I ping. I'm only showing tx traffic from my pings, when he pings my side I receive this in the logs: 

 

IPSEC: Received an ESP packet (SPI= 0xB4089FFC, sequence number= 0xD7) from x.x.x.x (user= x.x.x.x) to x.x.x.x.  The decapsulated inner packet doesn't match the negotiated policy in the SA.  The packet specifies its destination as 3da8:3c1a:6942:4c0a:fcec:d89a:5614:c62, its source as 4aac:c0c:56de:a2ed:f91d:816e:8660:be47, and its protocol as 255.  The SA specifies its local proxy as x.x.x.x/255.255.255.255/ip/0 and its remote_proxy as x.x.x.x/255.25

 

It's a series of random ipv6 and sometimes ipv4 addresses, they're always different with each ping. Has anyone experienced this before?

3 Replies 3

could be they using a dual stack or mixture of any ipv4 or ipv6 at the same time.

please do not forget to rate.

They have confirmed that they are not using any ipv6 addressing on their end, shared some of the logs and they have no idea where those addresses are coming from. Looked up some of the ipv4 addresses on arin and they are from net360, APNIC, IANA reservered, USAISC, etc. No idea how this traffic is getting encapsulated and sent over to us. 

does your and remote site have same phase1 and phase2 setting with mirror ACL?

please do not forget to rate.