SPI Matching

rajesh.aesi · ‎06-23-2020

How to disable SPI matching on IOS 15.X ?

I tried to give command: no crypto ipsec nat-transparency spi-match

but then also in "show ip nat translation" I am getting SPI instead of port no

Francesco Molino · ‎06-23-2020

Hi

What's your goal?
Why not using nat-t auto detection and auto negotiation with the command:
crypto ipsec nat-transparency udp-encapsulation

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

rajesh.aesi · ‎06-23-2020

Hi

I am just experimenting.

rajesh.aesi · ‎06-23-2020

I am also confused weather SPI match is enabled by default or not.

Please check attach image.

Francesco Molino · ‎06-23-2020

If you do a show run all | inc crypto ipsec nat-transparency , you'll see which one is by default. Normally it should be UDP nat-t.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

rajesh.aesi · ‎06-23-2020

After disabling both

Thanks a lot for prompt response.

no crypto ipsec nat-transparency udp-encap

no crypto ipsec nat-transparency spi-match

I am getting below output on my NAT device, which clearly indicating instead of port no its using SPI though I have disabled spi-match

Francesco Molino · ‎06-27-2020

You can preserve the port if you want but it won't react correctly on some vpn gateways.
Look at this doc: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_nat/configuration/xe-16/nat-xe-16-book/iadnat-applvlgw.html

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question