Solved: Re: IPSEC tunnel error crypto recvd packet

mahesh18 · ‎12-01-2012

Hi Everyone.

I have set up IPSEC tunnel in lab

On both devices i see this message in logs

Dec 1 09:52:49.600 MST: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSE

C packet.

(ip) vrf/dest_addr= /192.168.13.1, src_addr= 192.168.23.3, prot= 47

Second Router

(ip) vrf/dest_addr= /192.168.23.3, src_addr= 192.168.13.1, prot= 47

001031: Dec 1 09:55:36.269 MST: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not

an IPSEC packet.

(ip) vrf/dest_addr= /192.168.23.3, src_addr= 192.168.13.1, prot= 47

sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id slot status

192.168.23.3 192.168.13.1 QM_IDLE 1011 ACTIVE

IPv6 Crypto ISAKMP SA

Thanks

mahesh

Richard Burts · ‎12-01-2012

Mahesh

When you use the value 6 for the ISAKMP key then IOS expects the value you enter to be the already encrypted key value. Since you do not have a previously encrypted version of the key you should use the 0 value - which it seems you have now done.

From the fact that it shows that there is an EIGRP neighbor for EIGRP 2 do I understand that now your IPSec tunnel is working?

There is another aspect of this that you will want to work on. It looks to me like the tunnel is up and operational but that no traffic is flowing through the tunnel. This is because there is no routing information that would forward traffic through the tunnel. EIGRP 2 has a network statement for the tunnel interface so EIGRP is running over that interface. But there is no other route to be advertised over the tunnel. The easy solution would be to put a network statement under EIGRP 2 for some networks that are locally connected on each router.

HTH

Rick

HTH

Rick

View solution in original post

Reza Sharifi · ‎12-02-2012

Hi Mahesh,

This is a document I used to create the drawing and the configs. Just the IPs are different:

http://www.cisco.com/en/US/tech/tk827/tk369/technologies_configuration_example09186a00800946b8.shtml

HTH

View solution in original post

Richard Burts · ‎12-01-2012

Mahesh

It sounds like there is some mismatch in config between the routers which causes a router to send a data packet not encrypted which matches the other router criteria for what should be encrypted.

HTH

Rick

Sent from Cisco Technical Support iPad App

HTH

Rick

mahesh18 · ‎12-01-2012

Hi Rick,

Thanks for reply.

I will check my config again and will update you.

Regards

Mahesh

Reza Sharifi · ‎12-01-2012

Hi Mahesh,

(ip) vrf/dest_addr= /192.168.13.1, src_addr= 192.168.23.3, prot= 47

I think, source and destination have to be on the same subnet.

Is 13.1 and 23.3 on the same subnet?

what is the mask?

HTH

Reza

mahesh18 · ‎12-01-2012

Hi Reza,

They have same mask 255.255.255.0

192.168.13.1 255.255.255.0

192.168.23.3 255.255.255.0

Thanks

Mahesh

Reza Sharifi · ‎12-01-2012

Hi Mahesh,

If the mask is /24 (255.255.255.0) than they are not in the same subnet, because the 3rd octets are different.

Try this

192.168.13.1 255.255.255.0

192.168.13.3 255.255.255.0

Now, they are in the same subnet

HTH

Reza

mahesh18 · ‎12-01-2012

Hi Reza,

I am putting the new config again.

I will update you once i am done.

I erased old config and did reboot .

Thanks

Mahesh

mahesh18 · ‎12-01-2012

Hi Rick and Reza,

I have setup tunnel interface on R1 and R3 currently i have not setup any ipsec yet.

i am able to ping from R1 to R3

Here is config of R1

sh run int tunnel 0

Building configuration...

Current configuration : 128 bytes

!

interface Tunnel0

ip address 172.16.13.1 255.255.255.0

tunnel source FastEthernet0/10

tunnel destination 192.168.23.3

end

R1 connects to R2 via EIGRP.

Here is config from R1 to R2 connection

!

interface FastEthernet0/10

ip address 192.168.13.1 255.255.255.0

end

R2 has conenction to R3.

************************************************************************

R3 has config

sh run int tunnel 0

Building configuration...

Current configuration : 125 bytes

!

interface Tunnel0

ip address 172.16.13.3 255.255.255.0

tunnel source FastEthernet1

tunnel destination 192.168.13.1

Connection from R3 to R2

sh run int fa1

Building configuration...

Current configuration : 150 bytes

!

interface FastEthernet1

description EIGRP Connection to R2

ip address 192.168.23.3 255.255.255.0

duplex auto

speed auto

end

Now i did traceroute from R3 to R1 tunnel int 0

raceroute 172.16.13.1

Type escape sequence to abort.

Tracing the route to 172.16.13.1

1 172.16.13.1 0 msec 0 msec *

So it sees it as directly connected int .

so need to confirm that when tunnel traffic goes from R3 to R1 Tunnel interface 0

from R3 it takes source as R3 interface fas1 and destination is R1 fa0/10 interface IP.

So currently physical path of traffic is from R3 to R2 and then to R1 right?

Thanks

MAhesh

Richard Burts · ‎12-01-2012

Mahesh

I must differ with my colleague Reza about source and destination being on the same subnet. With GRE tunnels the common case is that source and destination are different networks. As you have demonstrated the tunnel works fine with source and destination in different networks - when there is no crypto configured. So this supports my original suggestion that there is some mismatch between routers about their crypto configuration.

I suggest that you configure crypto again. If the problem still happens then please post the configs.

HTH

Rick

HTH

Rick

mahesh18 · ‎12-01-2012

Hi Rick,

Thanks for reply again.

Its always pleasure to read your replies.

Now i will config the crypto again and will update you.

Regards

MAhesh

mahesh18 · ‎12-01-2012

Hi Rick,

While configurong each peer using the key for Internet Security Association and Key Management Protocol (ISAKMP).

i have these options on R1 and R3

R3(config)#crypto isakmp key ?

0 Specifies an UNENCRYPTED password will follow

6 Specifies an ENCRYPTED password will follow

WORD The UNENCRYPTED (cleartext) user password

on R1 which is 3550 switch i have this option only

crypto isakmp key ?

0 Specifies an UNENCRYPTED password will follow

6 Specifies an ENCRYPTED password will follow

should i choose option 6 on both the devices?*****************

Seems earlier i choosed option 0 on both the devices*************************

Thanks

Mahesh

Richard Burts · ‎12-01-2012

Mahesh

In general I suggest that you want to use the 0 option. This indicates that you will be entering the key as clear text. If you do have an encrypted version of that key then use the 6 option. But in my experience we do not very often have an already encrypted password.

HTH

Rick

HTH

Rick

mahesh18 · ‎12-01-2012

Hi Rick,

I choosed option 6 for above post and after that as soon as i did following config on

R3 int fa1

crypto map mymap

and R1 int fa0/10

crypto map my map

i see this on R1

#end

Dec 1 14:56:24.788 MST: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

R1#

Dec 1 14:56:26.320 MST: %SYS-5-CONFIG_I:

onsole

R1#

Dec 1 14:56:29.260 MST: %SEC-6-IPACCESSLOGRP: list 101 permitted gre 192.168.13

.1 -> 192.168.23.3, 1 packet

Dec 1 14:56:29.264 MST: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informationa

l mode failed with peer at 192.168.23.3

After this i lost eigrp nei between two tunnels.

Also i was unable to ping tunnel ip from R1 and R3.

******************************************************************************

Config R1,R2 and R3

sh run

R1e#$ sh running-config

Building configuration...

--More-- vtp mode transparent

!

crypto pki trustpoint TP-self-signed-4246472704

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-4246472704

revocation-check none

rsakeypair TP-self-signed-4246472704

!

crypto pki certificate chain TP-self-signed-4246472704

certificate self-signed 01

30820246 308201AF A0030201 02020101 300D0609 2A864886 F70D0101 04050030

31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 34323436 34373237 3034301E 170D3933 30333031 30303030

35395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 32343634

37323730 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

8100BEB1 6767A9E0 A4549DBE FA2B4069 693BD4C6 6AEC9791 4D4FF4EA 5E6A15FC

DA0C7B74 16751906 18A90F21 F9DEC2AE 1C367C04 9F8BA76C 881DF8F2 BCA4289A

3859AB23 1CA2C121 05748517 B1E5B356 B1B0FFBE 0AC7B0BD 9269F6D4 45846446

003185F0 9EFEB5AA B96164B2 DEC1A6F0 33B167AF BA74424F 085A26F3 A3D6C5D4

D45D0203 010001A3 6E306C30 0F060355 1D130101 FF040530 030101FF 30190603

--More-- 551D1104 12301082 0E42425F 33353530 496E7369 64652E30 1F060355 1D230418

30168014 E20C66AC 6D9756CA 61991449 D735A4D6 7C09F603 301D0603 551D0E04

160414E2 0C66AC6D 9756CA61 991449D7 35A4D67C 09F60330 0D06092A 864886F7

0D010104 05000381 810092BB 0829B39F 76B9B793 3C2C2AD2 DE45A8FA F627E629

C13D8BFA 787940C5 76E8CE76 0B0BB797 822D9839 2EBC6534 B04ED894 93AE0D27

CDDF832B 6006A6D8 6B73A7E2 013B0DC8 119440D5 82CF9592 B693CE27 F30D3E06

27DE1D8D FA3ADE53 A2FAA088 5B890366 6F68C225 CA86CD97 89A95BD7 48551282

0B94CD42 04E088D9 3C3D

quit

!

spanning-tree mode pvst

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

crypto isakmp policy 10

encr aes 256

authentication pre-share

group 2

--More-- crypto isakmp key 6 cisco address 192.168.23.3

!

crypto ipsec transform-set mytrans ah-md5-hmac esp-des esp-sha-hmac

!

crypto map mymap 10 ipsec-isakmp

set peer 192.168.23.3

set transform-set mytrans

match address 101

!

interface Tunnel0

ip address 172.16.13.1 255.255.255.0

tunnel source FastEthernet0/10

tunnel destination 192.168.23.3

!

interface Loopback0

ip address 172.16.1.1 255.255.255.0

shutdown

!

router eigrp 1

--More-- no auto-summary

network 192.168.13.0

!

router eigrp 2

no auto-summary

network 172.16.0.0

!

ip classless

ip route 0.0.0.0 0.0.0.0 192.168.1.1

!

access-list 101 permit gre host 192.168.13.1 host 192.168.23.3 log

!

R1# $

R1#

R1#sh ip ei

R1#sh ip eigrp 1 nei

EIGRP-IPv4:(1) neighbors for process 1

H Address Interface Hold Uptime SRTT RTO Q Seq

(sec) (ms) Cnt Num

0 192.168.13.2 Fa0/10 13 01:41:52 9 300 0 5

R1#sh ip eigrp 1 nei 2 nei

EIGRP-IPv4:(2) neighbors for process 2

H Address Interface Hold Uptime SRTT RTO Q Seq

(sec) (ms) Cnt Num

0 172.16.13.3 Tu0 14 00:07:41 4 1434 0 9

R1#17 92.168.13.2

Trying 192.168.13.2 ... Open

Password:

R2#sh run

R2#sh running-config

Building configuration...

Current configuration : 6514 bytes

!

! Last configuration change at 13:25:18 MST Sat Dec 1 2012 by mintoo

! NVRAM config last updated at 13:25:20 MST Sat Dec 1 2012 by mintoo

!

--More-- !

!

crypto pki trustpoint TP-self-signed-421391488

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-421391488

revocation-check none

rsakeypair TP-self-signed-421391488

!

crypto pki certificate chain TP-self-signed-421391488

certificate self-signed 01

3082023E 308201A7 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 34323133 39313438 38301E17 0D313231 31323130 35313930

305A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F

532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3432 31333931

34383830 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100

ABE3BF2F 7B79FDFE 7CDAF6C9 5296DC76 9C5BA61D C9791AF2 071590AD A5D7EC2A

F14EA755 8ABF11B0 4BAFBABF 48EA7846 4973DF58 986CA743 FB790C49 A6647DFD

26FD4466 51F99490 56700EBA 51EB7145 47C45C81 64306565 734B16C1 60120EF2

ACBCC141 8196B919 34B5A7F9 7A86FEBA 94CEFA4C 0296637D 5470E15C 0061EDEB

02030100 01A36830 66300F06 03551D13 0101FF04 05300301 01FF3013 0603551D

11040C30 0A820833 35353044 4D5A2E30 1F060355 1D230418 30168014 5E2CF922

--More-- 7A6360C7 DCFEB366 CFC9F9F1 8F16C2C7 301D0603 551D0E04 1604145E 2CF9227A

6360C7DC FEB366CF C9F9F18F 16C2C730 0D06092A 864886F7 0D010104 05000381

81000FB3 EB807E96 AC16C138 EFB50052 25F11DAB 43B06E90 D4462F5A 862E0DC3

7F479A22 72E1D2BB A52F9BFF DBD59FA1 DE45A116 31B5C3E7 6DB4A4FA 61893C5C

EAFBC1DA 4AE6F39A CE89519C A19CA8FB 204BFF31 F59284C3 8FE5C6B3 30F80C1D

E1FE6410 B1E098C0 3CF504B0 E20E8A34 BC97F387 1521F7B4 3CC81DFD B0B273CC DD7E

quit

!

spanning-tree mode pvst

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

interface FastEthernet0/1

--More-- no switchport

ip address 192.168.23.2 255.255.255.0

!

interface FastEthernet0/10

no switchport

ip address 192.168.13.2 255.255.255.0

!

interface Vlan1

no ip address

shutdown

--More-- !

!

router eigrp 1

no auto-summary

network 192.168.13.0

network 192.168.23.0

!

ip classless

ip http server

ip http secure-server

!

control-plane

!

R2#

R2#sh ip ei

R2#sh ip eigrp 2 nei

R2#sh ip eigrp 2 nei 1 nei

EIGRP-IPv4:(1) neighbors for process 1

H Address Interface Hold Uptime SRTT RTO Q Seq

(sec) (ms) Cnt Num

1 192.168.23.3 Fa0/1 12 01:40:57 4 200 0 3

0 192.168.13.1 Fa0/10 12 01:42:48 1024 5000 0 4

R2#192.16 .168.13. 23.3

Trying 192.168.23.3 ... Open

User Access Verification

Password:

R3#sh run

R3#sh running-config

Building configuration...

Current configuration : 3972 bytes

!

! Last configuration change at 14:59:08 MST Sat Dec 1 2012 by mintoo

! NVRAM config last updated at 14:55:52 MST Sat Dec 1 2012 by mintoo

!

version 12.4

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

no service password-encryption

!

hostname R3

!

boot-start-marker

boot-end-marker

!

logging message-counter syslog

logging buffered 4096 informational

!

no aaa new-model

clock timezone MST -7

clock summer-time MST recurring

!

--More-- !

!

ip cef

no ipv6 cef

!

multilink bundle-name authenticated

!

crypto isakmp policy 10

encr aes 256

authentication pre-share

--More-- group 2

lifetime 3600

!

crypto ipsec transform-set mytrans ah-md5-hmac esp-des esp-sha-hmac

!

crypto map mymap 10 ipsec-isakmp

set peer 192.168.13.1

set transform-set mytrans

match address 101

!

interface Loopback0

--More-- ip address 172.16.3.1 255.255.255.0

shutdown

!

interface Tunnel0

ip address 172.16.13.3 255.255.255.0

tunnel source FastEthernet1

tunnel destination 192.168.13.1

!g

no bridge-group 98 unicast-flooding

!

interface FastEthernet1

description EIGRP Connection to Int fas0/1 R2

--More-- ip address 192.168.23.3 255.255.255.0

duplex auto

speed auto

!

ip tcp adjust-mss 1452

!

router eigrp 1

network 192.168.23.0

no auto-summary

!

router eigrp 2

network 172.16.0.0

no auto-summary

--More-- !

!

no ip forward-protocol nd

no ip http server

no ip http secure-server

!

access-list 101 permit gre host 192.168.23.3 host 192.168.13.1 log

!

control-plane

!

R3# $

R3#

R3#sh ip ei

R3#sh ip eigrp 2 nei

IP-EIGRP neighbors for process 2

H Address Interface Hold Uptime SRTT RTO Q Seq

(sec) (ms) Cnt Num

0 172.16.13.1 Tu0 12 00:09:20 3 1434 0 11

R3#sh ip eigrp 2 nei 1 nei

IP-EIGRP neighbors for process 1

Thanks

Mahesh

mahesh18 · ‎12-01-2012

Hi Rick,

I choosed option 0 then also its same thing.

thanks

MAhesh

Richard Burts · ‎12-01-2012

Mahesh

When you use the value 6 for the ISAKMP key then IOS expects the value you enter to be the already encrypted key value. Since you do not have a previously encrypted version of the key you should use the 0 value - which it seems you have now done.

From the fact that it shows that there is an EIGRP neighbor for EIGRP 2 do I understand that now your IPSec tunnel is working?

There is another aspect of this that you will want to work on. It looks to me like the tunnel is up and operational but that no traffic is flowing through the tunnel. This is because there is no routing information that would forward traffic through the tunnel. EIGRP 2 has a network statement for the tunnel interface so EIGRP is running over that interface. But there is no other route to be advertised over the tunnel. The easy solution would be to put a network statement under EIGRP 2 for some networks that are locally connected on each router.

HTH

Rick

HTH

Rick