Ok, I got it to work. I had some other issues, after the reboot. I get the following which tells me its working and then shortly after the new ipsec sa is formed:
Mar 19 18:38:08.653: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=192.168.100.1, prot=50, spi=0xEF6E770D(4016994061), srcaddr=192.168.100.2 Mar 19 18:38:08.777: ISAKMP:(0): no idb in request Mar 19 18:38:08.781: ISAKMP: Created a peer struct for 192.168.100.2, peer port 500 Mar 19 18:38:08.785: ISAKMP: New peer created peer = 0x66A16E88 peer_handle = 0x80000002 Mar 19 18:38:08.789: ISAKMP: Locking peer struct 0x66A16E88, refcount 1 for ike_initiate_sa_for_inv_spi_recovery On Fri, Mar 19, 2010 at 11:07 AM, Bryan Bartik <bbar...@ipexpert.com> wrote: > Hello, > > I have been playing around with this command but can not seem to get it to > work, perhaps I am misunderstanding it. Here is my scenario: > > R1---R2 > > -IPSec VPN (auth via certs) is up and traffic is being encrypted/decrypted > according to show crypto ipsec sa > -Reboot R2 > -After R2 comes up, I send traffic from R1 and get this on R2, which is > expected: > > Mar 19 17:38:02.045: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC > packet has invalid spi for destaddr=192.168.100.2, prot=50, > spi=0x3EF31EC1(1056120513), srcaddr=192.168.100.1 > > To test the command, I clear all sessions and enable the following on R2: > > R2(config)#crypto isakmp invalid-spi-recovery > > Now when I perform the same steps above R2 still gives me the invalid SPI > message and doesn't attempt to bring up the IKE sessions to deliver the > INVALID SPI NOTIFY message. > > R2# > Mar 19 18:04:08.844: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC > packet has invalid spi for destaddr=192.168.100.2, prot=50, > spi=0x41BC1D46(1102847302), srcaddr=192.168.100.1 > R2#sho run | inc invali > crypto isakmp invalid-spi-recovery > > I am working off of this guide: > > > http://www.cisco.com/en/US/partner/docs/ios/sec_secure_connectivity/configuration/guide/sec_invald_index_rec_ps6441_TSD_Products_Configuration_Guide_Chapter.html > > Am I doing this wrong or should R2 attempt to bring up an IKE session to > deliver the INVALID SPI NOTIFY message? > > -- > Bryan Bartik > CCIE #23707 (R&S, SP), CCNP > Sr. Support Engineer - IPexpert, Inc. > URL: http://www.IPexpert.com > -- Bryan Bartik CCIE #23707 (R&S, SP), CCNP Sr. Support Engineer - IPexpert, Inc. URL: http://www.IPexpert.com
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
