Solved: IPSEC tunnel error crypto recvd packet - Page 2

mahesh18 · ‎12-01-2012

Hi Everyone.

I have set up IPSEC tunnel in lab

On both devices i see this message in logs

Dec 1 09:52:49.600 MST: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSE

C packet.

(ip) vrf/dest_addr= /192.168.13.1, src_addr= 192.168.23.3, prot= 47

Second Router

(ip) vrf/dest_addr= /192.168.23.3, src_addr= 192.168.13.1, prot= 47

001031: Dec 1 09:55:36.269 MST: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not

an IPSEC packet.

(ip) vrf/dest_addr= /192.168.23.3, src_addr= 192.168.13.1, prot= 47

sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id slot status

192.168.23.3 192.168.13.1 QM_IDLE 1011 ACTIVE

IPv6 Crypto ISAKMP SA

Thanks

mahesh

mahesh18 · ‎12-01-2012

Hi,

Before putting the crypto map mymap on tunnel source interface each router see tunnel interface as eigrp nei.

now i added few network statements under router eigrp 2 on each router as tunnel was not carring any traffic

Now router 3 has

Dec 1 22:17:03.191 MST: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /192.168.23.3, src_addr= 192.168.13.1, prot= 47

Dec 1 22:18:05.169 MST: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /192.168.23.3, src_addr= 192.168.13.1, prot= 47

Dec 1 22:19:06.390 MST: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /192.168.23.3, src_addr= 192.168.13.1, prot= 47

Dec 1 22:20:06.500 MST: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /192.168.23.3, src_addr= 192.168.13.1, prot= 47

Dec 1 22:21:07.001 MST: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /192.168.23.3, src_addr= 192.168.13.1, prot= 47

R3# sh ip ei

# sh ip eigrp 2 nei

IP-EIGRP neighbors for process 2

R3#sh cry

R3#sh crypto is

R3#sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id status

192.168.23.3 192.168.13.1 QM_IDLE 2003 ACTIVE

IPv6 Crypto ISAKMP SA

R1

.3 (Tunnel0) is up: new adjacency

Dec 1 22:22:58.166 MST: %DUAL-5-NBRCHANGE: EIGRP-IPv4:(2) 2: Neighbor 172.16.13

.3 (Tunnel0) is down: retry limit exceeded

Dec 1 22:23:01.490 MST: %DUAL-5-NBRCHANGE: EIGRP-IPv4:(2) 2: Neighbor 172.16.13

.3 (Tunnel0) is up: new adjacency

Dec 1 22:23:20.034 MST: %SYS-5-CONFIG_I: Configured from console by mintoo on c

onsole

R1#sh ip eigrp 2 neighbors

EIGRP-IPv4:(2) neighbors for process 2

H Address Interface Hold Uptime SRTT RTO Q Seq

(sec) (ms) Cnt Num

0 172.16.13.3 Tu0 14 00:00:33 1 5000 2 0

isakmp

R1#sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id slot status

192.168.23.3 192.168.13.1 QM_IDLE 1003 ACTIVE

IPv6 Crypto ISAKMP SA

Seems EIGRP nei on R1 router is flapping

thanks

Mahesh

mahesh18 · ‎12-01-2012

Hi Rick,

I did debug ip eigrp on R1 here is info

Dec 1 22:29:52.670 MST: EIGRP: Packet from ourselves ignored

Dec 1 22:29:53.006 MST: EIGRP: Retransmission retry limit exceeded

Dec 1 22:29:53.010 MST: EIGRP: Holdtime expired

Dec 1 22:29:53.010 MST: %DUAL-5-NBRCHANGE: EIGRP-IPv4:(2) 2: Neighbor 172.16.13

.3 (Tunnel0) is down: retry limit exceeded

Dec 1 22:29:53.010 MST: Going down: Peer 172.16.13.3 total=0 stub 0, iidb-stub=

0 iid-all=0

Dec 1 22:29:53.010 MST: EIGRP: Neighbor 172.16.13.3 went down on Tunnel0

Dec 1 22:29:55.694 MST: EIGRP: New peer 172.16.13.3

Dec 1 22:29:55.694 MST: %DUAL-5-NBRCHANGE: EIGRP-IPv4:(2) 2: Neighbor 172.16.13

.3 (Tunnel0) is up: new adjacency

Dec 1 22:29:55.918 MST: EIGRP: Packet from ourselves ignored

Dec 1 22:29:57.490 MST: EIGRP: Packet from ourselves ignored

Dec 1 22:30:00.782 MST: EIGRP: Packet from ourselves ignored

Dec 1 22:30:02.254 MST: EIGRP: Packet from ourselves ignored

Dec 1 22:30:07.006 MST: EIGRP: Packet from ourselves ignored

Dec 1 22:30:09.878 MST: EIGRP: Packet from ourselves ignored

Dec 1 22:30:11.550 MST: EIGRP: Packet from ourselves ignored

Dec 1 22:30:14.766 MST: EIGRP: Packet from ourselves ignored

Dec 1 22:30:16.506 MST: EIGRP: Packet from ourselves ignored

Reza Sharifi · ‎12-02-2012

Hi Mahesh,

Can you try using a static route instead of EIGRP for the GRE tunnel interface?

I setup your design and and am using static route. It works just fine.

I don't know exactly how your is setup, but mine is like this:

R1-----------sw------------r2

gre/ipsec between r1 and r2

See configs

Rich,

You are correct Sir. The source and destinations are in different subnets.

HTH

Reza

r1

----------

R1#sh run

Building configuration...

Current configuration : 1906 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R1

!

boot-start-marker

boot-end-marker

!

no aaa new-model

!

resource policy

!

ip subnet-zero

!

ip cef

!

voice-card 0

no dspfarm

!

username cisco privilege 15 password 0 cisco

!

crypto isakmp policy 10

authentication pre-share

crypto isakmp key ciscokey address 10.1.1.1

!

crypto ipsec transform-set to-r2 esp-des esp-md5-hmac

!

crypto map myvpn 10 ipsec-isakmp

set peer 10.1.1.1

set transform-set to-r2

match address 101

!

interface Tunnel0

ip address 192.168.3.1 255.255.255.0

tunnel source GigabitEthernet0/1

tunnel destination 10.1.1.1

!

interface Loopback0

ip address 2.2.2.2 255.255.255.255

!

interface Loopback10

ip address 20.20.20.20 255.255.255.255

!

interface GigabitEthernet0/0

no ip address

ip router isis 1

duplex auto

speed auto

!

interface GigabitEthernet0/1

ip address 1.1.1.2 255.255.255.0

duplex auto

speed auto

crypto map myvpn

!

router ospf 1

log-adjacency-changes

network 1.1.1.0 0.0.0.255 area 0

network 2.2.2.0 0.0.0.255 area 0

!

router isis 1

net 49.0001.0000.0000.0001.00

is-type level-2-only

metric-style wide

!

router bgp 1

no synchronization

bgp log-neighbor-changes

network 5.5.5.0 mask 255.255.255.0

neighbor 2.2.2.1 remote-as 1

neighbor 2.2.2.1 update-source Loopback0

no auto-summary

!

address-family vpnv4

neighbor 2.2.2.1 activate

neighbor 2.2.2.1 send-community extended

exit-address-family

!

ip classless

ip route 30.30.30.30 255.255.255.255 192.168.3.2

!

ip http server

no ip http secure-server

!

access-list 101 permit gre any any

!

control-plane

!

gatekeeper

shutdown

!

line con 0

line aux 0

line vty 0 4

exec-timeout 0 0

login local

transport input all

transport output all

!

scheduler allocate 20000 1000

!

end

R1#

r2

---------

R2#sh run

Building configuration...

Current configuration : 1702 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R2

!

boot-start-marker

boot-end-marker

!

no aaa new-model

!

resource policy

!

ip subnet-zero

!

ip cef

!

voice-card 0

no dspfarm

!

username cisco privilege 15 password 0 cisco

!

crypto isakmp policy 10

authentication pre-share

crypto isakmp key ciscokey address 1.1.1.2

!

crypto ipsec transform-set to-r1 esp-des esp-md5-hmac

!

crypto map myvpn 10 ipsec-isakmp

set peer 1.1.1.2

set transform-set to-r1

match address 101

!

interface Tunnel0

ip address 192.168.3.2 255.255.255.0

tunnel source GigabitEthernet0/0

tunnel destination 1.1.1.2

!

interface Loopback0

ip address 2.2.2.3 255.255.255.255

!

interface Loopback10

ip address 30.30.30.30 255.255.255.255

!

interface GigabitEthernet0/0

ip address 10.1.1.1 255.255.255.0

ip router isis 1

duplex auto

speed auto

mpls ip

crypto map myvpn

!

interface GigabitEthernet0/1

no ip address

duplex auto

speed auto

!

router ospf 1

log-adjacency-changes

network 2.2.2.0 0.0.0.255 area 0

network 10.1.1.0 0.0.0.255 area 0

!

router isis 1

net 49.0001.0000.0000.0002.00

is-type level-2-only

metric-style wide

passive-interface Loopback0

!

ip classless

ip route 20.20.20.20 255.255.255.255 192.168.3.1

!

ip http server

no ip http secure-server

!

access-list 101 permit gre any any

!

tftp-server flash:c2800nm-adventerprisek9_ivs-mz.124-3g.bin

!

control-plane

!

gatekeeper

shutdown

!

line con 0

line aux 0

line vty 0 4

exec-timeout 0 0

login local

transport input all

transport output all

!

scheduler allocate 20000 1000

!

end

R2#

r1

R1#sh ip os ne

Neighbor ID Pri State Dead Time Address Interface

2.2.2.1 1 FULL/BDR 00:00:37 1.1.1.1 GigabitEthernet0/1

R1#

r2

R2#sh ip os ne

Neighbor ID Pri State Dead Time Address Interface

2.2.2.1 1 FULL/DR 00:00:32 10.1.1.2 GigabitEthernet0/0

R2#

R1#sh crypto isakmp sa

dst src state conn-id slot status

1.1.1.2 10.1.1.1 QM_IDLE 1 0 ACTIVE

R1#

R2#sh crypto isakmp sa

dst src state conn-id slot status

1.1.1.2 10.1.1.1 QM_IDLE 1 0 ACTIVE

R2#

here is the config from both routers:

mahesh18 · ‎12-02-2012

Hi Reza,

So you mean just to use the static route and no need to use OSPF and BGP as its in ur config?

Thanks

Mahesh

Reza Sharifi · ‎12-02-2012

Hi,

Sorry for the confusion. Please ignore all the BGP, ISIS configs.

I am running OSPF between all 3 devices (r1----sw1----r2) and I can ping from r1 to r2 loopback address and vice versa. So, the config is working fine.

Now, for the tunnel itself I am using static routes. From r1

ip route 30.30.30.30 255.255.255.255 192.168.3.2

and than you also see a static route on r2.

So, I am using static routes to reach 30.30.30.30 and 20.20.20.20 and tunnel0 and for everything else I am using OSPF.

I am also attaching the diagram for the network.

HTH

Reza

Reza Sharifi · ‎12-02-2012

Hi Mahesh,

This is a document I used to create the drawing and the configs. Just the IPs are different:

http://www.cisco.com/en/US/tech/tk827/tk369/technologies_configuration_example09186a00800946b8.shtml

HTH

mahesh18 · ‎12-02-2012

Hi Reza,

I will use that document and update you.

Regards

MAhesh

mahesh18 · ‎12-16-2012

Hi Reza,

Thanks for your help again

Regards

MAhesh

mahesh18 · ‎12-16-2012

Hi Rick,

You were right Tunnel was up and operational but no traffic was passing through it as active traffic was going via another

interface.

That was the reason i was having issues with IPSEC.

Best regards

Mahesh

Richard Burts · ‎12-16-2012

Mahesh

I am glad that you have resolved the issues. Thank you for posting to the forum to indicate that it was resolved. And Thank you for using the rating system to mark the question as resolved.

HTH

Rick

HTH

Rick