Learn how easy it is to sync an existing GitHub or Google Code repo to a SourceForge project! See Demo


#71 packet doesn't match the negotiated policy in the SA

Martin Kozelsky

If more security policies are used packets are sent from linux throught bad SA in some occasion.

I have linux with kernel 2.6.26 and racoon 0.7.1, IPSec tunnel is configured to Cisco ASA with Cisco Adaptive Security Appliance Software Version 8.0(3)19. Cisco ASA produces this log:

"Sep 17 2008 16:41:13: %ASA-4-402116: IPSEC: Received an ESP packet (SPI= 0x47068DBF, sequence number= 0x2D) from (user= to The decapsulated inner packet doesn't match the negotiated policy in the SA. The packet specifies its destination as, its source as, and its protocol as 1. The SA specifies its local proxy as and its remote_proxy as"

How to get this state:
1. Linux have inner addresses and
2. Router behind ASA has inner address
3. No ISAKMP/IPSec SA are established.
4. Make ping from to, ISAKMP/IPSec SA are established, pings are passing.
5. Make ping from to, IPSec SA isnt established, pakets are sent throught bad existing SA, ASA is producing warning log!
6. Make ping from to, right SA is established, pings are passing and from to too.

There is some mistake with handling security policy database and security association database. Output from setkey and Cisco ASA log is attached.

I tried firstly kernel 2.6.24 and after 2.6.26 (x86_64 of course) but the situation is the same.


  • Output from setkey and Cisco ASA log

    • status: open --> closed
  • The change of level from "required" to "unique" in setkey command "spdadd" solves this problem.