cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Join Customer Connection to register!
192
Views
10
Helpful
4
Replies
Highlighted
Beginner

Incoming traffic is not encrypted

Hi everyone, can please help me with this? Here are the configs, and the error messages.

 

Config:

 

interface ATM0
 no ip address
 ip route-cache flow
 no ip mroute-cache
 no atm ilmi-keepalive
 dsl operating-mode adsl2
!
interface ATM0.1 point-to-point
 description ODR ADSL
 no ip proxy-arp
 snmp trap link-status
 pvc 1/32
  pppoe-client dial-pool-number 1
 !
!
 
 
interface Dialer1    
 description ADSL connection to Frankfurt
 mtu 1492
 ip address negotiated
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp chap hostname 123997
 ppp chap password 7 1412083G18517GH7D
 ppp pap sent-username 123997 password 7 1412083G18517GH7D
 crypto map VPN
! (edited) 
 
 
crypto ipsec transform-set 3DESSET esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes 256 esp-sha-hmac
!
crypto map VPN 120 ipsec-isakmp
 description tunnel to Frankfurt VPN
 set peer 45.3.2.1
 set security-association lifetime seconds 86400
 set transform-set ESP-AES-256-SHA
 match address 120
!

 

Crypto session current statusInterface: Virtual-Access1
Session status: DOWN
Peer: 45.3.2.1 port 500
  IPSEC FLOW: permit ip host 105.99.10.63 0.0.0.0/0.0.0.0
        Active SAs: 0, origin: crypto map
  ......


        Active SAs: 0, origin: crypto map

Interface: Dialer1
Session status: UP-ACTIVE
Peer: 45.3.2.1 port 500
  IKE SA: local 105.99.10.63/500 remote 45.3.2.1/500 Active
 

 

 

 

 

 

Error log:

*Jun 19 16:35:55 edt: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.
(ip) vrf/dest_addr= /105.99.10.63, src_addr= 68.2.112.74, prot= 6

 

105.99.10.63 is the Dialer1 interface's IP address

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Hello @Mozambique ,

you have to write the ACL 120 from the point of view of internal traffic.

In other words it should describe traffic from an internal LAN IP subnet to a remote LAN IP subnet reachable via the the IPSec peer.

example:

You local LAN is 192.168.10.0/24   and the remote network LAN is 192.168.50.0/24

access-list 120 becomes:

access-list 120 permit ip 192.168.10.0 0.0.0.255 192.168.50.0 0.0.0.255

 

You are configuring a LAN to LAN IPSEC VPN and ACL 120 defines the interesting traffic to be encrypted.

 

This is why any should never be used in an ACL used fo this purpose otherwise your router would expect to receive only encrypted traffic.

 

note:

on remote side the ACL has to be the mirror of the local one:

access-list 121 permit ip 192.168.50.0 0.0.0.255 192.168.10.0 0.0.0.255

The ACL is written for traffic to be sent so the the source is the local LAN subnet and the destination is the remote peer's LAN subnet.

 

Hope to help

Giuseppe

 

View solution in original post

4 REPLIES 4
Highlighted
Hall of Fame Master

Hello @Mozambique ,

can you provide the configuation of ACL 120 ?

you should avoid to use the any keyword in this ACL.

 

please note that your IPSec peer is  45.3.2.1  and the unencrypted packet is received from source 68.2.112.74,

This should be legitimate un-encrypted traffic.

 

Hope to help

Giuseppe

 

Highlighted

Hello @Giuseppe Larosa,

 

Thank you for the answer. ACL 120:

permit ip host 105.99.10.63 any

permit ip 104.161.42.101 0.0.0.15 any

permit ip host 10.65.22.22 any

 

Also, 68.2.112.74 is not the only source from what the device is receving IpSec packets in the error logs, there are about 4 other.

And neither is the peer (45.3.2.1)

 

 

Highlighted

Hello @Mozambique ,

you have to write the ACL 120 from the point of view of internal traffic.

In other words it should describe traffic from an internal LAN IP subnet to a remote LAN IP subnet reachable via the the IPSec peer.

example:

You local LAN is 192.168.10.0/24   and the remote network LAN is 192.168.50.0/24

access-list 120 becomes:

access-list 120 permit ip 192.168.10.0 0.0.0.255 192.168.50.0 0.0.0.255

 

You are configuring a LAN to LAN IPSEC VPN and ACL 120 defines the interesting traffic to be encrypted.

 

This is why any should never be used in an ACL used fo this purpose otherwise your router would expect to receive only encrypted traffic.

 

note:

on remote side the ACL has to be the mirror of the local one:

access-list 121 permit ip 192.168.50.0 0.0.0.255 192.168.10.0 0.0.0.255

The ACL is written for traffic to be sent so the the source is the local LAN subnet and the destination is the remote peer's LAN subnet.

 

Hope to help

Giuseppe

 

View solution in original post

Highlighted

Thank you very much @Giuseppe Larosa 

If I'll have a chance, I'll try that.