Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

decrypted packet failed SA identity check

Status
Not open for further replies.

markd85

Technical User
Nov 1, 2010
11
GB
Hi All,

I've just setup a VPN between a Vigor 2600 and a Cisco 1841 using IPSec with DES-SHA1 Auth.

I have this coming up in debug mode and wanted to know if this is normal for my kind of setup?

IPSEC(epa_des_crypt): decrypted packet failed SA identity
check

Everything seems to work fine though, i can ping a pc on either LAN. Part of my config below...

crypto isakmp policy 1
hash md5
authentication pre-share
group 2
lifetime 3600
!
crypto isakmp policy 5
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key burtonst1 address 78.xx.xxx.48
!
!
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set AES-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set 3DES-SHA-compression esp-3des esp-sha-hmac comp-lzs
crypto ipsec transform-set AES-SHA-compression esp-aes esp-sha-hmac comp-lzs
crypto ipsec transform-set cm-transformset-1 esp-des esp-sha-hmac
crypto ipsec transform-set this_should_work esp-des esp-sha-hmac
!
crypto map VPN-Map-1 10 ipsec-isakmp
set peer 78.xx.xxx.48
set transform-set this_should_work
match address Crypto-list
!
!
!
interface FastEthernet0/0
description $ETH-LAN$
ip address 192.168.78.40 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface ATM0/0/0
no ip address
no ip mroute-cache
no atm ilmi-keepalive
bundle-enable
dsl operating-mode auto
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface ATM0/1/0
no ip address
no ip mroute-cache
no atm ilmi-keepalive
bundle-enable
dsl operating-mode auto
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp reliable-link
ppp authentication chap callin
ppp chap hostname xxxxxxxxxxxxxxxxxxxxxx
ppp chap password 0 xxxxxxxx
ppp ipcp dns request
ppp link reorders
ppp multilink
ppp multilink slippage mru 16
ppp multilink fragment delay 10
ppp multilink interleave
ppp multilink multiclass
crypto map VPN-Map-1
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http secure-server
ip nat inside source list 100 interface Dialer0 overload
!
ip access-list extended Crypto-list
permit ip 192.168.78.0 0.0.0.255 192.168.6.0 0.0.0.255
ip access-list extended Internet-inbound-ACL
permit udp host 78.xx.xxx.48 any eq isakmp
permit esp host 78.xx.xxx.48 any
!
access-list 100 deny ip 192.168.78.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 100 permit ip 192.168.78.0 0.0.0.255 any
dialer-list 1 protocol ip permit
snmp-server community public RO
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top