Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
438
Views
3
Helpful
3
Replies

CRYPTO-4-RECVD_PKT_NOT_IPSEC - caused by crypto map on inbound interface?

crhodes
Level 1
Level 1

‎02-05-2003 07:08 PM - edited ‎02-21-2020 12:20 PM

I'm trying to establish an IPSEC tunnel between two IOS routers.

The local router (say Router A) can establish an IPSEC tunnel and send encrypted packets to the remote router (say router B), but when router B tries to send traffic to router A via the IPSEC tunnel, router A reports the following error:

%CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.

(ip) dest_addr= 172.16.70.4, src_addr= 172.16.196.254, prot= 1

I'm wondering if the problem is due to router B having the crypto map statement on the interface that receives packets from 172.16.196.254, not on the interface that sends the packets to the next hop towards router A.

We have

host (172.16.196.254)

|

firewall

|

router B:Interface F0/0

ip 172.16.224.1 (the IPsec address for router B)

crypto map mymap

router B:Interface S0/0.1

|

WAN link

|

router C

|

router A:interface F0/0

ip 203.17.35.225 (the Ipsec address for router A)

crypto map mymap

router A:interface F0/1

ip 172.16.70.1

|

host (172.16.70.4)

Any thoughts/suggestions appreciated.

Labels:
0 Helpful
3 Replies 3

kmarrero
Level 4
Level 4

‎02-06-2003 07:55 AM

The problem could be with your ACL's not matching. The following document shows an example of two routers and one router has an access-list for inside-host to inside-host and the other has an access-list for interface to interface. The document states that the ACL's should be symmetric.

http://www.cisco.com/warp/public/707/manual.shtml

0 Helpful

rajesh444
Level 1
Level 1

‎02-06-2003 11:33 AM

I am not sure if I understand your question but as far as I know the crypto map is always applied to the public (dirty) interface on the router. In other words, if router B has a serial interface that connects to the WAN with a public IP, the crypto map should be applied on that interface, the same goes for router A.

Hope this helps.

Regards,

RAJ

0 Helpful

crhodes
Level 1
Level 1
In response to rajesh444

‎02-06-2003 03:30 PM

Thanks for the replies.

As suggested by RAJ, the problem appears to be as a result of having the crypto map applied to the ingress interface of Router B.

I found a reference on CCO stating that the crypto map needs to be applied to the egress interface.

Regards

Customers Also Viewed These Support Documents