cisco 1721 vpn config and symantec vpn client


I have  a cisco 1721 with the vpn module and the ios firewall.  I have several users who connect to a varitey of clients using various bits of different vpn client software (symantec, checkpoint etc). I recently added a site to site vpn to another client. This has caused some sort of issue in that the symantec vpn software can download its tunnel, but when I try to connect to a machine at the end of the tunnel the connection fails.

I have done some initial debugging. This is the output for a failed connection:

IP NAT IPsec debugging is on

Feb 22 15:57:53.563: NAT: IPsec: using mapping to create outbound ESP IL=, SPI=AFD208FA, IG=

Feb 22 15:57:53.563: NAT: IPSec: created In->Out ESP translation IL= SPI=0xAFD208FA, IG=,
OL=, OG=

Feb 22 15:57:53.563: NAT: IPSec: Inside host (IL= trying to open an ESP connection to Outside host
(OG=, wait for Out->In reply

Feb 22 15:57:53.611: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has
 invalid spi for destaddr=, prot=50, spi=0x60F4470E(1626621710), srcaddr=

(the ip address have been changed)

If I remove the crypto map for the outside interface the connections work as expected (ie I can download connect the symantec vpn client and make connection down the tunnel). Incidently the checkpoint client vpns work on both configs.

Here is the router config (I have changed the ip address and choped some of the adittional interfaces out)
crypto isakmp policy 2
 authentication pre-share
crypto isakmp key blahblahblah address
crypto ipsec transform-set vpn-set esp-des esp-sha-hmac
crypto map SDM_CMAP_1 1 ipsec-isakmp
 description Tunnel to1.1.1.1
 set peer
 set security-association lifetime kilobytes 8192
 set security-association lifetime seconds 7200
 set transform-set vpn-set
 match address 103
interface ATM0
 no ip address
 no atm ilmi-keepalive
 bundle ena
 dsl operating-mode auto
 hold-queue 208 in
 pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 10

interface FastEthernet0
 description internal network
 ip address
 ip access-group 100 in
 ip nat inside
 ip inspect DEFAULT100 out
 ip virtual-reassembly
 speed auto
interface Dialer10
 description ADSL Dialer Interface
 ip address
 ip access-group 101 in
 ip nat outside
 ip inspect DEFAULT100 in
 ip inspect DEFAULT100 out
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 10
 no cdp enable
 ppp authentication chap callin
 ppp chap hostname username
 ppp chap password 0 password
 crypto map SDM_CMAP_1

ip classless
ip route Dialer10

ip nat inside source route-map SDM_RMAP_2 interface Dialer10 overload
access-list 100 remark ORIGINATING FROM INT FA0
access-list 100 deny   ip any
access-list 100 deny   ip host any
access-list 100 deny   ip any
access-list 100 permit ip any any log

access-list 101 remark dialer 10 inbound firewall rules
access-list 101 permit ip
access-list 101 permit udp host host eq non500-isakmp
access-list 101 permit udp host host eq isakmp
access-list 101 permit esp host host
access-list 101 permit ahp host host
access-list 101 deny   ip any
access-list 101 deny   ip any
access-list 101 permit ip host host log
access-list 101 permit icmp any host echo-reply
access-list 101 permit icmp any host time-exceeded
access-list 101 permit icmp any host unreachable
access-list 101 deny   ip any
access-list 101 deny   ip any
access-list 101 deny   ip host any
access-list 101 deny   ip host any log
access-list 101 deny   ip any any log

access-list 103 permit ip

access-list 160 remark nat rule
access-list 160 deny   ip
access-list 160 permit tcp any
access-list 160 permit icmp any
access-list 160 permit ip any
route-map SDM_RMAP_2 permit 1
 match ip address 160

Im not sure how difficult this question is, but it is quite urgent so I have assigned it 500 ponits. any help or pointers would be great, and will be rewarded accordingly.

many thanks
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Do you have a copy of the config BEFORE the changes were made for the site-site tunnel and the Symantec client worked?
I don't think that Cisco officially supports any VPN client except their own.

V-TenAuthor Commented:
Hi Irmoore,

If I take out the crypto map SDM_CMAP_1 from the dailer 10 interface the symantec vpn traffic is passed through the router to the internal client quite happily.  It seems like the router is applying the cryto rules to all ipsec traffic as opposed to just the traffic that I have defined in the access-list.
Is this default behaviour on a cisco, or have I done something wrong, and if it is default behaviour is there anything I can do to make it ignore ipsec traffic that is not part of the tunnel that I have defined?

(sorry lots of questions)

>vpn traffic is passed through the router to the internal client quite happily.
I must have been confused. Let me make sure I understand.
The Symantec VPN client user is on the INSIDE of this router, connecting to some external server?
Simple Misconfiguration =Network Vulnerability

In this technical webinar, AlgoSec will present several examples of common misconfigurations; including a basic device change, business application connectivity changes, and data center migrations. Learn best practices to protect your business from attack.

V-TenAuthor Commented:
Thats correct.
You have already defined the traffic that will traverse the lan-lan tunel with acl 103

>crypto map SDM_CMAP_1 1 ipsec-isakmp
>>  match address 103 <<
>access-list 103 permit ip

This should exclude any traffic between client, say talking to the remote VPN server, publit IP
However, by enabling the crypto map on the interface, the router thinks all ISAKMP and ESP traffic are destined for itself and not a client on the inside.
IPSEC nat transparency should fix that by encapsulating in UDP packets. This requires support at the router (transparent and enabled by default in 12.2T and newer), on the Symantec client, and at the symantec server end.
Ask whoever has the Symantec server end if they have enabled UDP/NAT-transparency for clients.
Check the client to see if UDP is an option.
Check your router OS version to see if it supports it.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
V-TenAuthor Commented:
Thanks very much. I'll give it a go.
V-TenAuthor Commented:
Sorry for the slow reply. I have had some difficulty in speaking to the people at the end of the vpn.
You are absolutley correct in that it has to use UDP/Nat-transparency.  Unfortuantley (for me) the symantec client is apparently unable to support this, so I guess I am going to have to get another ip address.

many thanks for your help.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.