Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
27616
Views
5
Helpful
0
Comments

User receives the IKE packet from [IP_address] was not encrypted and it should've been error message

TCC_2
Level 10
Level 10

on ‎06-22-2009 05:05 PM

Core issue

The %CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from [IP_address] was not encrypted    and it should've been error message results from a portion of the Internet Key Exchange (IKE) being encrypted, and a portion being unencrypted. This message should have been encrypted, but was not.

Resolution

The recommended action is to contact the remote peer.

Make sure that the Access Control Lists (ACLs) configured for the crypto map are mirror    images of each other at opposite VPN endpoints. For example, if you have the access-list command on VPN router A, then VPN router B would need to be configured identically, as shown:

access-list 101 permit ip 10.10.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit ip 10.10.0.0 0.0.0.255 192.168.2.0 0.0.0.255

This output shows how the VPN router B needs to be configured:

access-list 101 permit ip 192.168.1.0 0.0.0.255 10.10.0.0 0.0.0.255
access-list 101 permit ip 192.168.2.0 0.0.0.255 10.10.0.0 0.0.0.255

Note: Do not use the any keyword in crypto access-list commands.

If you still receive the same error message after you have configured the ACLs correctly, capture the VPN debugs on the remote end, and look for error messages there.

For an explanation of common debug error messages used in resolving IPSec issues, refer to IP Security Troubleshooting - Understanding and Using debug Commands.

Labels:
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents