Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


cisco 1721 vpn config and symantec vpn client

Posted on 2005-02-24
Medium Priority
Last Modified: 2013-11-16

I have  a cisco 1721 with the vpn module and the ios firewall.  I have several users who connect to a varitey of clients using various bits of different vpn client software (symantec, checkpoint etc). I recently added a site to site vpn to another client. This has caused some sort of issue in that the symantec vpn software can download its tunnel, but when I try to connect to a machine at the end of the tunnel the connection fails.

I have done some initial debugging. This is the output for a failed connection:

IP NAT IPsec debugging is on

Feb 22 15:57:53.563: NAT: IPsec: using mapping to create outbound ESP IL=, SPI=AFD208FA, IG=

Feb 22 15:57:53.563: NAT: IPSec: created In->Out ESP translation IL= SPI=0xAFD208FA, IG=,
OL=, OG=

Feb 22 15:57:53.563: NAT: IPSec: Inside host (IL= trying to open an ESP connection to Outside host
(OG=, wait for Out->In reply

Feb 22 15:57:53.611: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has
 invalid spi for destaddr=, prot=50, spi=0x60F4470E(1626621710), srcaddr=

(the ip address have been changed)

If I remove the crypto map for the outside interface the connections work as expected (ie I can download connect the symantec vpn client and make connection down the tunnel). Incidently the checkpoint client vpns work on both configs.

Here is the router config (I have changed the ip address and choped some of the adittional interfaces out)
crypto isakmp policy 2
 authentication pre-share
crypto isakmp key blahblahblah address
crypto ipsec transform-set vpn-set esp-des esp-sha-hmac
crypto map SDM_CMAP_1 1 ipsec-isakmp
 description Tunnel to1.1.1.1
 set peer
 set security-association lifetime kilobytes 8192
 set security-association lifetime seconds 7200
 set transform-set vpn-set
 match address 103
interface ATM0
 no ip address
 no atm ilmi-keepalive
 bundle ena
 dsl operating-mode auto
 hold-queue 208 in
 pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 10

interface FastEthernet0
 description internal network
 ip address
 ip access-group 100 in
 ip nat inside
 ip inspect DEFAULT100 out
 ip virtual-reassembly
 speed auto
interface Dialer10
 description ADSL Dialer Interface
 ip address
 ip access-group 101 in
 ip nat outside
 ip inspect DEFAULT100 in
 ip inspect DEFAULT100 out
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 10
 no cdp enable
 ppp authentication chap callin
 ppp chap hostname username
 ppp chap password 0 password
 crypto map SDM_CMAP_1

ip classless
ip route Dialer10

ip nat inside source route-map SDM_RMAP_2 interface Dialer10 overload
access-list 100 remark ORIGINATING FROM INT FA0
access-list 100 deny   ip any
access-list 100 deny   ip host any
access-list 100 deny   ip any
access-list 100 permit ip any any log

access-list 101 remark dialer 10 inbound firewall rules
access-list 101 permit ip
access-list 101 permit udp host host eq non500-isakmp
access-list 101 permit udp host host eq isakmp
access-list 101 permit esp host host
access-list 101 permit ahp host host
access-list 101 deny   ip any
access-list 101 deny   ip any
access-list 101 permit ip host host log
access-list 101 permit icmp any host echo-reply
access-list 101 permit icmp any host time-exceeded
access-list 101 permit icmp any host unreachable
access-list 101 deny   ip any
access-list 101 deny   ip any
access-list 101 deny   ip host any
access-list 101 deny   ip host any log
access-list 101 deny   ip any any log

access-list 103 permit ip

access-list 160 remark nat rule
access-list 160 deny   ip
access-list 160 permit tcp any
access-list 160 permit icmp any
access-list 160 permit ip any
route-map SDM_RMAP_2 permit 1
 match ip address 160

Im not sure how difficult this question is, but it is quite urgent so I have assigned it 500 ponits. any help or pointers would be great, and will be rewarded accordingly.

many thanks
Question by:V-Ten
  • 4
  • 3
LVL 79

Expert Comment

ID: 13416563
Do you have a copy of the config BEFORE the changes were made for the site-site tunnel and the Symantec client worked?
I don't think that Cisco officially supports any VPN client except their own.


Author Comment

ID: 13418143
Hi Irmoore,

If I take out the crypto map SDM_CMAP_1 from the dailer 10 interface the symantec vpn traffic is passed through the router to the internal client quite happily.  It seems like the router is applying the cryto rules to all ipsec traffic as opposed to just the traffic that I have defined in the access-list.
Is this default behaviour on a cisco, or have I done something wrong, and if it is default behaviour is there anything I can do to make it ignore ipsec traffic that is not part of the tunnel that I have defined?

(sorry lots of questions)

LVL 79

Expert Comment

ID: 13419158
>vpn traffic is passed through the router to the internal client quite happily.
I must have been confused. Let me make sure I understand.
The Symantec VPN client user is on the INSIDE of this router, connecting to some external server?
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!


Author Comment

ID: 13419181
Thats correct.
LVL 79

Accepted Solution

lrmoore earned 2000 total points
ID: 13419322
You have already defined the traffic that will traverse the lan-lan tunel with acl 103

>crypto map SDM_CMAP_1 1 ipsec-isakmp
>>  match address 103 <<
>access-list 103 permit ip

This should exclude any traffic between client, say talking to the remote VPN server, publit IP
However, by enabling the crypto map on the interface, the router thinks all ISAKMP and ESP traffic are destined for itself and not a client on the inside.
IPSEC nat transparency should fix that by encapsulating in UDP packets. This requires support at the router (transparent and enabled by default in 12.2T and newer), on the Symantec client, and at the symantec server end.
Ask whoever has the Symantec server end if they have enabled UDP/NAT-transparency for clients.
Check the client to see if UDP is an option.
Check your router OS version to see if it supports it.


Author Comment

ID: 13419374
Thanks very much. I'll give it a go.

Author Comment

ID: 13475250
Sorry for the slow reply. I have had some difficulty in speaking to the people at the end of the vpn.
You are absolutley correct in that it has to use UDP/Nat-transparency.  Unfortuantley (for me) the symantec client is apparently unable to support this, so I guess I am going to have to get another ip address.

many thanks for your help.


Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month15 days, 15 hours left to enroll

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question