Hi everyone, can please help me with this? Here are the configs, and the error messages.
Config:
Crypto session current statusInterface: Virtual-Access1
Session status: DOWN
Peer: 45.3.2.1 port 500
IPSEC FLOW: permit ip host 105.99.10.63 0.0.0.0/0.0.0.0
Active SAs: 0, origin: crypto map
......
Active SAs: 0, origin: crypto map
Interface: Dialer1
Session status: UP-ACTIVE
Peer: 45.3.2.1 port 500
IKE SA: local 105.99.10.63/500 remote 45.3.2.1/500 Active
Error log:
*Jun 19 16:35:55 edt: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.
(ip) vrf/dest_addr= /105.99.10.63, src_addr= 68.2.112.74, prot= 6
105.99.10.63 is the Dialer1 interface's IP address
Solved! Go to Solution.
Hello @Mozambique ,
you have to write the ACL 120 from the point of view of internal traffic.
In other words it should describe traffic from an internal LAN IP subnet to a remote LAN IP subnet reachable via the the IPSec peer.
example:
You local LAN is 192.168.10.0/24 and the remote network LAN is 192.168.50.0/24
access-list 120 becomes:
access-list 120 permit ip 192.168.10.0 0.0.0.255 192.168.50.0 0.0.0.255
You are configuring a LAN to LAN IPSEC VPN and ACL 120 defines the interesting traffic to be encrypted.
This is why any should never be used in an ACL used fo this purpose otherwise your router would expect to receive only encrypted traffic.
note:
on remote side the ACL has to be the mirror of the local one:
access-list 121 permit ip 192.168.50.0 0.0.0.255 192.168.10.0 0.0.0.255
The ACL is written for traffic to be sent so the the source is the local LAN subnet and the destination is the remote peer's LAN subnet.
Hope to help
Giuseppe
Hello @Mozambique ,
can you provide the configuation of ACL 120 ?
you should avoid to use the any keyword in this ACL.
please note that your IPSec peer is 45.3.2.1 and the unencrypted packet is received from source 68.2.112.74,
This should be legitimate un-encrypted traffic.
Hope to help
Giuseppe
Hello @Giuseppe Larosa,
Thank you for the answer. ACL 120:
permit ip host 105.99.10.63 any
permit ip 104.161.42.101 0.0.0.15 any
permit ip host 10.65.22.22 any
Also, 68.2.112.74 is not the only source from what the device is receving IpSec packets in the error logs, there are about 4 other.
And neither is the peer (45.3.2.1)
Hello @Mozambique ,
you have to write the ACL 120 from the point of view of internal traffic.
In other words it should describe traffic from an internal LAN IP subnet to a remote LAN IP subnet reachable via the the IPSec peer.
example:
You local LAN is 192.168.10.0/24 and the remote network LAN is 192.168.50.0/24
access-list 120 becomes:
access-list 120 permit ip 192.168.10.0 0.0.0.255 192.168.50.0 0.0.0.255
You are configuring a LAN to LAN IPSEC VPN and ACL 120 defines the interesting traffic to be encrypted.
This is why any should never be used in an ACL used fo this purpose otherwise your router would expect to receive only encrypted traffic.
note:
on remote side the ACL has to be the mirror of the local one:
access-list 121 permit ip 192.168.50.0 0.0.0.255 192.168.10.0 0.0.0.255
The ACL is written for traffic to be sent so the the source is the local LAN subnet and the destination is the remote peer's LAN subnet.
Hope to help
Giuseppe