List,
I am still trying to pass traffic between two 7600s on the public internet
using installed SPA-IPSEC-2G blades without success (running
s72033-advipservicesk9_wan-mz.122-33.SXI9)
I have tried, tunnel protect, crypto-connect and vrf type of configurations,
none successful.
My deployment has a L3 vlan on the public internet which supports local NAT
translations. This interface should be used as the source on each system to
communicate with the opposite system. Configs below giving me the following
error when I try and pass traffic:
%CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for
destaddr="localpublic", prot=50, spi=0xB54C2EB1(3041668785), srcaddr=
"remotepiblic"
A side: #sho cry isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
"localpublic" "remotepiblic" QM_IDLE 68032 ACTIVE
A side: #sho cry session
Crypto session current status
Interface: Vlan2
Session status: UP-ACTIVE
Peer: "remotepiblic" port 500
IKE SA: local "localpublic"/500 remote "remotepiblic"/500 Active
IPSEC FLOW: permit ip host "localpublic" host "remotepiblic"/
Active SAs: 0, origin: crypto map
A Side: #sho cry ips sa active
No SAs found
===========
A Side:
crypto engine mode vrf
access-list 101 permit ip host "localpublic" host "remotepiblic"
crypto keyring GIP
pre-shared-key address "remotepiblic" key "key"
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10 3 periodic
crypto isakmp profile GLOBALIP
vrf gip
keyring GIP
match identity address "remotepiblic" 255.255.255.255
!
!
crypto ipsec transform-set GLOBALIP esp-3des esp-sha-hmac
!
crypto map IPSEC local-address Vlan2
crypto map IPSEC 10 ipsec-isakmp
set peer "remotepiblic"
set transform-set GLOBALIP
set pfs group2
set isakmp-profile GLOBALIP
match address 101
interface Vlan2
ip address "localpublic" 255.255.255.240
ip nat outside
ip flow ingress
crypto engine outside
interface Vlan777
ip vrf forwarding gip
ip address 192.168.255.142 255.255.255.252
crypto map IPSEC
crypto engine slot 4/0 inside
==========
B Side:
crypto engine mode vrf
access-list 101 permit ip host "localpublic" host "remotepiblic"
crypto keyring GIP
pre-shared-key address "remotepiblic" key "key"
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10 3 periodic
crypto isakmp profile GLOBALIP
vrf gip
keyring GIP
match identity address "remotepiblic" 255.255.255.255
!
!
crypto ipsec transform-set GLOBALIP esp-3des esp-sha-hmac
!
crypto map IPSEC local-address Vlan2
crypto map IPSEC 10 ipsec-isakmp
set peer "remotepiblic"
set transform-set GLOBALIP
set pfs group2
set isakmp-profile GLOBALIP
match address 101
interface Vlan2
ip address "localpublic" 255.255.255.240
ip nat outside
ip flow ingress
crypto engine outside
interface Vlan777
ip vrf forwarding gip
ip address 192.168.255.141 255.255.255.252
crypto map IPSEC
crypto engine slot 4/0 inside
ANY suggestions here would be a huge help as I am completely stuck at this
time.
Thanks!!
db
_______________________________________________
cisco-nsp mailing list [email protected]
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
