ANNOUNCEMENT - The community will be down for maintenace this Thursday August 13 from 12:00 AM PT to 02:00 AM PT. As a precaution save your work.
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

User receives the IKE packet from [IP_address] was not encrypted and it should've been error message

24829
Views
5
Helpful
0
Comments

Core issue

The %CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from [IP_address] was not encrypted    and it should've been error message results from a portion of the Internet Key Exchange (IKE) being encrypted, and a portion being unencrypted. This message should have been encrypted, but was not.

Resolution

The recommended action is to contact the remote peer.

Make sure that the Access Control Lists (ACLs) configured for the crypto map are mirror    images of each other at opposite VPN endpoints. For example, if you have the access-list command on VPN router A, then VPN router B would need to be configured identically, as shown:

access-list 101 permit ip 10.10.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit ip 10.10.0.0 0.0.0.255 192.168.2.0 0.0.0.255

This output shows how the VPN router B needs to be configured:

access-list 101 permit ip 192.168.1.0 0.0.0.255 10.10.0.0 0.0.0.255
access-list 101 permit ip 192.168.2.0 0.0.0.255 10.10.0.0 0.0.0.255

Note: Do not use the any keyword in crypto access-list commands.

If you still receive the same error message after you have configured the ACLs correctly, capture the VPN debugs on the remote end, and look for error messages there.

For an explanation of common debug error messages used in resolving IPSec issues, refer to IP Security Troubleshooting - Understanding and Using debug Commands.