Cisco Community
English
Register
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Join Customer Connection to register!
192
Views
10
Helpful
4
Replies
Highlighted
Mozambique
Beginner
Beginner
‎01-18-2021 02:04 AM
‎01-18-2021 02:04 AM

Incoming traffic is not encrypted

Hi everyone, can please help me with this? Here are the configs, and the error messages.

 

Config:

 

interface ATM0
 no ip address
 ip route-cache flow
 no ip mroute-cache
 no atm ilmi-keepalive
 dsl operating-mode adsl2
!
interface ATM0.1 point-to-point
 description ODR ADSL
 no ip proxy-arp
 snmp trap link-status
 pvc 1/32
  pppoe-client dial-pool-number 1
 !
!
 
 
interface Dialer1    
 description ADSL connection to Frankfurt
 mtu 1492
 ip address negotiated
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp chap hostname 123997
 ppp chap password 7 1412083G18517GH7D
 ppp pap sent-username 123997 password 7 1412083G18517GH7D
 crypto map VPN
! (edited) 
 
 
crypto ipsec transform-set 3DESSET esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes 256 esp-sha-hmac
!
crypto map VPN 120 ipsec-isakmp
 description tunnel to Frankfurt VPN
 set peer 45.3.2.1
 set security-association lifetime seconds 86400
 set transform-set ESP-AES-256-SHA
 match address 120
!

 

Crypto session current statusInterface: Virtual-Access1
Session status: DOWN
Peer: 45.3.2.1 port 500
  IPSEC FLOW: permit ip host 105.99.10.63 0.0.0.0/0.0.0.0
        Active SAs: 0, origin: crypto map
  ......


        Active SAs: 0, origin: crypto map

Interface: Dialer1
Session status: UP-ACTIVE
Peer: 45.3.2.1 port 500
  IKE SA: local 105.99.10.63/500 remote 45.3.2.1/500 Active
 

 

 

 

 

 

Error log:

*Jun 19 16:35:55 edt: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.
(ip) vrf/dest_addr= /105.99.10.63, src_addr= 68.2.112.74, prot= 6

 

105.99.10.63 is the Dialer1 interface's IP address

Labels:
0 Helpful
Reply
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Giuseppe Larosa
Hall of Fame Master Hall of Fame Master
Hall of Fame Master
In response to Mozambique
‎01-18-2021 04:49 AM
‎01-18-2021 04:49 AM

Hello @Mozambique ,

you have to write the ACL 120 from the point of view of internal traffic.

In other words it should describe traffic from an internal LAN IP subnet to a remote LAN IP subnet reachable via the the IPSec peer.

example:

You local LAN is 192.168.10.0/24   and the remote network LAN is 192.168.50.0/24

access-list 120 becomes:

access-list 120 permit ip 192.168.10.0 0.0.0.255 192.168.50.0 0.0.0.255

 

You are configuring a LAN to LAN IPSEC VPN and ACL 120 defines the interesting traffic to be encrypted.

 

This is why any should never be used in an ACL used fo this purpose otherwise your router would expect to receive only encrypted traffic.

 

note:

on remote side the ACL has to be the mirror of the local one:

access-list 121 permit ip 192.168.50.0 0.0.0.255 192.168.10.0 0.0.0.255

The ACL is written for traffic to be sent so the the source is the local LAN subnet and the destination is the remote peer's LAN subnet.

 

Hope to help

Giuseppe

 

View solution in original post

Reply
4 REPLIES 4
Highlighted
Giuseppe Larosa
Hall of Fame Master Hall of Fame Master
Hall of Fame Master
‎01-18-2021 03:00 AM
‎01-18-2021 03:00 AM

Hello @Mozambique ,

can you provide the configuation of ACL 120 ?

you should avoid to use the any keyword in this ACL.

 

please note that your IPSec peer is  45.3.2.1  and the unencrypted packet is received from source 68.2.112.74,

This should be legitimate un-encrypted traffic.

 

Hope to help

Giuseppe

 

Reply
Highlighted
Mozambique
Beginner
Beginner
In response to Giuseppe Larosa
‎01-18-2021 03:21 AM
‎01-18-2021 03:21 AM

Hello @Giuseppe Larosa,

 

Thank you for the answer. ACL 120:

permit ip host 105.99.10.63 any

permit ip 104.161.42.101 0.0.0.15 any

permit ip host 10.65.22.22 any

 

Also, 68.2.112.74 is not the only source from what the device is receving IpSec packets in the error logs, there are about 4 other.

And neither is the peer (45.3.2.1)

 

 

0 Helpful
Reply
Highlighted
Giuseppe Larosa
Hall of Fame Master Hall of Fame Master
Hall of Fame Master
In response to Mozambique
‎01-18-2021 04:49 AM
‎01-18-2021 04:49 AM

Hello @Mozambique ,

you have to write the ACL 120 from the point of view of internal traffic.

In other words it should describe traffic from an internal LAN IP subnet to a remote LAN IP subnet reachable via the the IPSec peer.

example:

You local LAN is 192.168.10.0/24   and the remote network LAN is 192.168.50.0/24

access-list 120 becomes:

access-list 120 permit ip 192.168.10.0 0.0.0.255 192.168.50.0 0.0.0.255

 

You are configuring a LAN to LAN IPSEC VPN and ACL 120 defines the interesting traffic to be encrypted.

 

This is why any should never be used in an ACL used fo this purpose otherwise your router would expect to receive only encrypted traffic.

 

note:

on remote side the ACL has to be the mirror of the local one:

access-list 121 permit ip 192.168.50.0 0.0.0.255 192.168.10.0 0.0.0.255

The ACL is written for traffic to be sent so the the source is the local LAN subnet and the destination is the remote peer's LAN subnet.

 

Hope to help

Giuseppe

 

View solution in original post

Reply
Highlighted
Mozambique
Beginner
Beginner
In response to Giuseppe Larosa
‎01-18-2021 08:58 AM
‎01-18-2021 08:58 AM

Thank you very much @Giuseppe Larosa 

If I'll have a chance, I'll try that.

0 Helpful
Reply
Latest Contents
CATALYST TUESDAY - MARCH 9 - Enterprise Campus BGP EVPN Solu...
Created by Scott Hodgdon on 03-04-2021 09:23 AM
0
5
0
5
Join us for the next Catalyst Tuesday session on March 9 - Enterprise Campus BGP EVPN Solution Overview : This session will cover the Enterprise BGP EVPN Solution in the Campus using the Catalyst 9K platform. We will discuss the major drivers behind ... view more
Community Live Event- ISR1100X-4G and ISR1100X-6G Platform O...
Created by Cisco Moderador on 03-02-2021 05:23 AM
1
0
1
0
Community Live- ISR1100X-4G and ISR1100X-6G Platform Overview and Architecture (Live event -  Tuesday, 23 March, 2021 at 10:00 am Pacific/ 1:00 pm Eastern / 7:00 pm Paris)- This event will have place on Tuesday 23rd, March 2021 at 10:00 hrs PDT&... view more
Cisco Secure Network Access Bridges the Gap
Created by Kelli Glass on 02-26-2021 04:19 PM
0
0
0
0
Cisco Secure Network Access is helping IT to bridge the gap between what is essential to the business and what the network delivers and to build the next-generation campus network for an unplugged and uninterrupted experience. Learn more about how these w... view more
Community Live Video - New Additions to the Catalyst 8000 Fa...
Created by Cisco Moderador on 02-24-2021 08:49 AM
0
0
0
0
(view in My Videos) Community Live- New Additions to the Catalyst 8000 Family (Live event -  Tuesday, 23 February, 2021 at 10:00 am Pacific/ 1:00 pm Eastern / 7:00 pm Paris)- This event had place on Tuesday 23rd, February 2021 at 10:00 hrs PDT... view more
New Additions to the Catalyst 8000 Family- FAQ
Created by Cisco Moderador on 02-24-2021 07:23 AM
0
0
0
0
This event had place on Tuesday 23rd, February 2021 at 10hrs PDT  Introduction Designed for an intent-based network, the Cisco Catalyst 8000 Edge Platforms family offers best-in-class networking and security combined. The platforms, available in b... view more
Content for Community-Ad