12-01-2012 09:00 AM - edited 03-07-2019 10:21 AM
Hi Everyone.
I have set up IPSEC tunnel in lab
On both devices i see this message in logs
Dec 1 09:52:49.600 MST: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSE
C packet.
(ip) vrf/dest_addr= /192.168.13.1, src_addr= 192.168.23.3, prot= 47
Second Router
(ip) vrf/dest_addr= /192.168.23.3, src_addr= 192.168.13.1, prot= 47
001031: Dec 1 09:55:36.269 MST: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not
an IPSEC packet.
(ip) vrf/dest_addr= /192.168.23.3, src_addr= 192.168.13.1, prot= 47
sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
192.168.23.3 192.168.13.1 QM_IDLE 1011 ACTIVE
IPv6 Crypto ISAKMP SA
Thanks
mahesh
Solved! Go to Solution.
12-01-2012 09:26 PM
Hi,
Before putting the crypto map mymap on tunnel source interface each router see tunnel interface as eigrp nei.
now i added few network statements under router eigrp 2 on each router as tunnel was not carring any traffic
Now router 3 has
Dec 1 22:17:03.191 MST: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /192.168.23.3, src_addr= 192.168.13.1, prot= 47
Dec 1 22:18:05.169 MST: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /192.168.23.3, src_addr= 192.168.13.1, prot= 47
Dec 1 22:19:06.390 MST: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /192.168.23.3, src_addr= 192.168.13.1, prot= 47
Dec 1 22:20:06.500 MST: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /192.168.23.3, src_addr= 192.168.13.1, prot= 47
Dec 1 22:21:07.001 MST: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /192.168.23.3, src_addr= 192.168.13.1, prot= 47
R3# sh ip ei
# sh ip eigrp 2 nei
IP-EIGRP neighbors for process 2
R3#sh cry
R3#sh crypto is
R3#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
192.168.23.3 192.168.13.1 QM_IDLE 2003 ACTIVE
IPv6 Crypto ISAKMP SA
R1
.3 (Tunnel0) is up: new adjacency
Dec 1 22:22:58.166 MST: %DUAL-5-NBRCHANGE: EIGRP-IPv4:(2) 2: Neighbor 172.16.13
.3 (Tunnel0) is down: retry limit exceeded
Dec 1 22:23:01.490 MST: %DUAL-5-NBRCHANGE: EIGRP-IPv4:(2) 2: Neighbor 172.16.13
.3 (Tunnel0) is up: new adjacency
Dec 1 22:23:20.034 MST: %SYS-5-CONFIG_I: Configured from console by mintoo on c
onsole
R1#sh ip eigrp 2 neighbors
EIGRP-IPv4:(2) neighbors for process 2
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 172.16.13.3 Tu0 14 00:00:33 1 5000 2 0
isakmp
R1#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
192.168.23.3 192.168.13.1 QM_IDLE 1003 ACTIVE
IPv6 Crypto ISAKMP SA
Seems EIGRP nei on R1 router is flapping
thanks
Mahesh
12-01-2012 09:31 PM
Hi Rick,
I did debug ip eigrp on R1 here is info
Dec 1 22:29:52.670 MST: EIGRP: Packet from ourselves ignored
Dec 1 22:29:53.006 MST: EIGRP: Retransmission retry limit exceeded
Dec 1 22:29:53.010 MST: EIGRP: Holdtime expired
Dec 1 22:29:53.010 MST: %DUAL-5-NBRCHANGE: EIGRP-IPv4:(2) 2: Neighbor 172.16.13
.3 (Tunnel0) is down: retry limit exceeded
Dec 1 22:29:53.010 MST: Going down: Peer 172.16.13.3 total=0 stub 0, iidb-stub=
0 iid-all=0
Dec 1 22:29:53.010 MST: EIGRP: Neighbor 172.16.13.3 went down on Tunnel0
Dec 1 22:29:55.694 MST: EIGRP: New peer 172.16.13.3
Dec 1 22:29:55.694 MST: %DUAL-5-NBRCHANGE: EIGRP-IPv4:(2) 2: Neighbor 172.16.13
.3 (Tunnel0) is up: new adjacency
Dec 1 22:29:55.918 MST: EIGRP: Packet from ourselves ignored
Dec 1 22:29:57.490 MST: EIGRP: Packet from ourselves ignored
Dec 1 22:30:00.782 MST: EIGRP: Packet from ourselves ignored
Dec 1 22:30:02.254 MST: EIGRP: Packet from ourselves ignored
Dec 1 22:30:02.254 MST: EIGRP: Packet from ourselves ignored
Dec 1 22:30:07.006 MST: EIGRP: Packet from ourselves ignored
Dec 1 22:30:09.878 MST: EIGRP: Packet from ourselves ignored
Dec 1 22:30:11.550 MST: EIGRP: Packet from ourselves ignored
Dec 1 22:30:14.766 MST: EIGRP: Packet from ourselves ignored
Dec 1 22:30:16.506 MST: EIGRP: Packet from ourselves ignored
12-02-2012 03:37 PM
Hi Mahesh,
Can you try using a static route instead of EIGRP for the GRE tunnel interface?
I setup your design and and am using static route. It works just fine.
I don't know exactly how your is setup, but mine is like this:
R1-----------sw------------r2
gre/ipsec between r1 and r2
See configs
Rich,
You are correct Sir. The source and destinations are in different subnets.
HTH
Reza
r1
----------
R1#sh run
Building configuration...
Current configuration : 1906 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
ip subnet-zero
!
!
ip cef
!
!
!
!
voice-card 0
no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username cisco privilege 15 password 0 cisco
!
!
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key ciscokey address 10.1.1.1
!
!
crypto ipsec transform-set to-r2 esp-des esp-md5-hmac
!
crypto map myvpn 10 ipsec-isakmp
set peer 10.1.1.1
set transform-set to-r2
match address 101
!
!
!
!
interface Tunnel0
ip address 192.168.3.1 255.255.255.0
tunnel source GigabitEthernet0/1
tunnel destination 10.1.1.1
!
interface Loopback0
ip address 2.2.2.2 255.255.255.255
!
interface Loopback10
ip address 20.20.20.20 255.255.255.255
!
interface GigabitEthernet0/0
no ip address
ip router isis 1
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address 1.1.1.2 255.255.255.0
duplex auto
speed auto
crypto map myvpn
!
router ospf 1
log-adjacency-changes
network 1.1.1.0 0.0.0.255 area 0
network 2.2.2.0 0.0.0.255 area 0
!
router isis 1
net 49.0001.0000.0000.0001.00
is-type level-2-only
metric-style wide
!
router bgp 1
no synchronization
bgp log-neighbor-changes
network 5.5.5.0 mask 255.255.255.0
neighbor 2.2.2.1 remote-as 1
neighbor 2.2.2.1 update-source Loopback0
no auto-summary
!
address-family vpnv4
neighbor 2.2.2.1 activate
neighbor 2.2.2.1 send-community extended
exit-address-family
!
ip classless
ip route 30.30.30.30 255.255.255.255 192.168.3.2
!
!
ip http server
no ip http secure-server
!
access-list 101 permit gre any any
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
line aux 0
line vty 0 4
exec-timeout 0 0
login local
transport input all
transport output all
!
scheduler allocate 20000 1000
!
end
R1#
r2
---------
R2#sh run
Building configuration...
Current configuration : 1702 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
ip subnet-zero
!
!
ip cef
!
!
!
!
voice-card 0
no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username cisco privilege 15 password 0 cisco
!
!
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key ciscokey address 1.1.1.2
!
!
crypto ipsec transform-set to-r1 esp-des esp-md5-hmac
!
crypto map myvpn 10 ipsec-isakmp
set peer 1.1.1.2
set transform-set to-r1
match address 101
!
!
!
!
interface Tunnel0
ip address 192.168.3.2 255.255.255.0
tunnel source GigabitEthernet0/0
tunnel destination 1.1.1.2
!
interface Loopback0
ip address 2.2.2.3 255.255.255.255
!
interface Loopback10
ip address 30.30.30.30 255.255.255.255
!
interface GigabitEthernet0/0
ip address 10.1.1.1 255.255.255.0
ip router isis 1
duplex auto
speed auto
mpls ip
crypto map myvpn
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
!
router ospf 1
log-adjacency-changes
network 2.2.2.0 0.0.0.255 area 0
network 10.1.1.0 0.0.0.255 area 0
!
router isis 1
net 49.0001.0000.0000.0002.00
is-type level-2-only
metric-style wide
passive-interface Loopback0
!
ip classless
ip route 20.20.20.20 255.255.255.255 192.168.3.1
!
!
ip http server
no ip http secure-server
!
access-list 101 permit gre any any
!
!
!
tftp-server flash:c2800nm-adventerprisek9_ivs-mz.124-3g.bin
!
control-plane
!
!
!
!
!
!
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
line aux 0
line vty 0 4
exec-timeout 0 0
login local
transport input all
transport output all
!
scheduler allocate 20000 1000
!
end
R2#
r1
R1#sh ip os ne
Neighbor ID Pri State Dead Time Address Interface
2.2.2.1 1 FULL/BDR 00:00:37 1.1.1.1 GigabitEthernet0/1
R1#
r2
R2#sh ip os ne
Neighbor ID Pri State Dead Time Address Interface
2.2.2.1 1 FULL/DR 00:00:32 10.1.1.2 GigabitEthernet0/0
R2#
R1#sh crypto isakmp sa
dst src state conn-id slot status
1.1.1.2 10.1.1.1 QM_IDLE 1 0 ACTIVE
R1#
R2#sh crypto isakmp sa
R2#sh crypto isakmp sa
dst src state conn-id slot status
1.1.1.2 10.1.1.1 QM_IDLE 1 0 ACTIVE
R2#
here is the config from both routers:
12-02-2012 06:45 PM
Hi Reza,
So you mean just to use the static route and no need to use OSPF and BGP as its in ur config?
Thanks
Mahesh
12-02-2012 06:59 PM
Hi,
Sorry for the confusion. Please ignore all the BGP, ISIS configs.
I am running OSPF between all 3 devices (r1----sw1----r2) and I can ping from r1 to r2 loopback address and vice versa. So, the config is working fine.
Now, for the tunnel itself I am using static routes. From r1
ip route 30.30.30.30 255.255.255.255 192.168.3.2
and than you also see a static route on r2.
So, I am using static routes to reach 30.30.30.30 and 20.20.20.20 and tunnel0 and for everything else I am using OSPF.
I am also attaching the diagram for the network.
HTH
Reza
12-02-2012 07:11 PM
Hi Mahesh,
This is a document I used to create the drawing and the configs. Just the IPs are different:
http://www.cisco.com/en/US/tech/tk827/tk369/technologies_configuration_example09186a00800946b8.shtml
HTH
12-02-2012 07:17 PM
Hi Reza,
I will use that document and update you.
Regards
MAhesh
12-16-2012 10:01 AM
Hi Reza,
Thanks for your help again
Regards
MAhesh
12-16-2012 09:59 AM
Hi Rick,
You were right Tunnel was up and operational but no traffic was passing through it as active traffic was going via another
interface.
That was the reason i was having issues with IPSEC.
Best regards
Mahesh
12-16-2012 06:20 PM
Mahesh
I am glad that you have resolved the issues. Thank you for posting to the forum to indicate that it was resolved. And Thank you for using the rating system to mark the question as resolved.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide