12-23-2012 09:24 AM - edited 02-21-2020 06:34 PM
Hi Everyone,
I have GRE over IPSEC tunnel between 2691 and 3550.
2691 connects to Internet and do the Natting.
Tunnel seems to be up up and working fine but on 2691 i am seeing these in logs
Dec 23 10:07:27.580 MST: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /192.168.5.3, src_addr= 192.168.5.2, prot= 47
Dec 23 10:08:05.957 MST: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: mintoo] [Source: 192.168.5.2] [localport: 23] at 10:08:05 MST Sun Dec 23 2012
Dec 23 10:08:27.582 MST: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /192.168.5.3, src_addr= 192.168.5.2, prot= 47
Dec 23 10:09:27.585 MST: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /192.168.5.3, src_addr= 192.168.5.2, prot= 47
2691Router# sh crypto isakmp sa
dst src state conn-id slot status
192.168.5.2 192.168.5.3 QM_IDLE 38 0 ACTIVE
2691Router# sh cry
2691Router# sh crypto ipsec sa
interface: FastEthernet0/1
Crypto map tag: MYVPN, local addr 192.168.5.3
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.5.3/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (192.168.5.2/255.255.255.255/47/0)
current_peer 192.168.5.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 3646, #pkts encrypt: 3646, #pkts digest: 3646
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 192.168.5.3, remote crypto endpt.: 192.168.5.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
current outbound spi: 0x28553A1D(676674077)
inbound esp sas:
spi: 0x2BD49D31(735354161)
transform: esp-des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: AIM-VPN/EPII:2, crypto map: MYVPN
sa timing: remaining key lifetime (k/sec): (4449766/1872)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x28553A1D(676674077)
transform: esp-des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: AIM-VPN/EPII:1, crypto map: MYVPN
sa timing: remaining key lifetime (k/sec): (4449739/1872)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
How can i fix the log on 2691 router .
Also how can i tell which side is doing encryption and which not ?
Many thanks
MAhesh
12-24-2012 12:07 AM
Dec 23 10:09:27.585 MST: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /192.168.5.3, src_addr= 192.168.5.2, prot= 47
That means the remote device is bypassing encryption and sends GRE in clear. Can you show the configs of the device with the IP 192.168.5.3?
Cheers,
12-24-2012 12:33 AM
Hi olpeleri,
Thanks for reply
here is config of device with 192.168.5.3
Current configuration : 9257 bytes
!
! Last configuration change at 14:33:15 MST Sun Dec 23 2012 by mintoo
! NVRAM config last updated at 14:18:18 MST Sun Dec 23 2012 by mintoo
!
version 12.4
service nagle
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service internal
!
hostname 2691Router
!
boot-start-marker
boot-end-marker
!
no logging exception
logging count
logging buffered 4096 informational
enable secret level 5 5 $1$EC0J$upgsksyfc5JJ/ree2A9BO0
enable secret 5 $1$Z9E.$rWrUh71AcmeDMxFDsrZVl0
!
no aaa new-model
clock timezone MST -7
clock summer-time MST recurring
no network-clock-participate slot 1
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
ip host 3550SMIA 192.168.5.2
ip host 3550SMIB 192.168.10.2
ip host 2950T 192.168.10.5
ip host 2650XM 192.168.4.3
ip name-server 64.59.144.18
ip auth-proxy max-nodata-conns 3
login on-failure log
login on-success log
!
ipv6 unicast-routing
!
!
!
!
!
!
!
!
!
!
!
!
!
!
archive
log config
hidekeys
path slot0:/configs/$h
write-memory
time-period 1440
!
!
ip ssh port 2009 rotary 1
!
!
crypto isakmp policy 100
encr aes
authentication pre-share
group 2
crypto isakmp key cagary address 192.168.5.2 no-xauth
!
!
crypto ipsec transform-set DEMO1 esp-des esp-sha-hmac
!
crypto map MYVPN 100 ipsec-isakmp
set peer 192.168.5.2
set transform-set DEMO1
match address MP
!
buffers tune automatic
!
!
!
interface Loopback2
description IBGP neighbour to Router 3550B
ip address 2.2.2.2 255.255.255.0
!
interface Loopback3
description IBGP neighbour to Router R4
ip address 3.3.3.3 255.255.255.0
!
interface Loopback4
ip address 4.4.4.4 255.255.255.0
!
interface Loopback33
description IPV6 OSPF LAB
no ip address
ipv6 address FEC0:4::4/64
ipv6 enable
ipv6 ospf 110 area 100
!
interface Loopback133
description IPV6 OSPF LAB
no ip address
ipv6 address FEC0:1::1/64
ipv6 enable
ipv6 ospf 100 area 101
!
interface Tunnel0
ip address 10.5.1.2 255.0.0.0
tunnel source FastEthernet0/1
tunnel destination 192.168.5.2
!
interface FastEthernet0/0
description WAN Connection to ISP modem
ip address dhcp
no ip redirects
no ip unreachables
ip accounting output-packets
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface Serial0/0
description Serial connection to 2650 on interface se/0/0
ip address 192.168.1.1 255.255.255.0
encapsulation frame-relay
ip ospf network point-to-multipoint
no keepalive
!
interface FastEthernet0/1
description Lan Connection to 3550A Switch
ip address 192.168.5.3 255.255.255.254
ip flow ingress
ip nat inside
ip virtual-reassembly
ip ospf hello-interval 40
ip ospf priority 10
duplex auto
speed auto
crypto map MYVPN
!
interface FastEthernet1/0
description Lan Connection to 3550B Switch
ip address 192.168.6.3 255.255.255.254
ip flow ingress
ip nat inside
ip virtual-reassembly
ip ospf authentication
ip ospf authentication-key 7 05080F1C2243
ip ospf hello-interval 40
ip ospf priority 10
duplex auto
speed auto
!
interface Serial1/0
description Serial connection to 2650 on interface se0/1
ip address 192.168.2.1 255.255.255.0
no keepalive
serial restart-delay 0
!
interface FastEthernet1/1
router ospf 1
router-id 4.4.4.4
log-adjacency-changes
redistribute static metric 300 subnets
passive-interface Serial0/0
passive-interface Serial1/1
network 3.3.3.3 0.0.0.0 area 0
network 4.4.4.4 0.0.0.0 area 0
network 192.168.1.0 0.0.0.255 area 0
network 192.168.2.0 0.0.0.255 area 0
network 192.168.5.0 0.0.0.255 area 0
network 192.168.6.0 0.0.0.255 area 0
default-information originate
ip nat translation timeout 3600
ip nat inside source list 101 interface FastEthernet0/0 overload
!
ip access-list extended MP
permit gre host 192.168.5.3 host 192.168.5.2 log
!
logging trap debugging
logging 192.168.20.9
access-list 101 permit ip 192.168.0.0 0.0.255.255 any
hope this helps
thanks
mahesh
12-24-2012 12:57 AM
Probably the problem has something to do with different config of proxy-ACL on peers. Maybe it'll help if you simplify crypto-acl on both peers this way: access-list 101 permit gre any any
12-24-2012 07:52 AM
Hi Andrew.
Can you please let me know how can i do different config of proxy ACL on peers?
thanks
mahesh
12-24-2012 01:31 AM
This side looks good. How the other side looks like?
12-24-2012 07:50 AM
!
Hi olpeleri,
Here is config from other side
crypto isakmp policy 100
encr aes
authentication pre-share
group 2
crypto isakmp key cagary address 192.168.5.3 no-xauth
!
!
crypto ipsec transform-set DEMO1 esp-des esp-sha-hmac
!
crypto map MYVPN 100 ipsec-isakmp
set peer 192.168.5.3
set transform-set DEMO1
match address MP
!
interface Tunnel0
ip address 10.5.1.1 255.0.0.0
tunnel source FastEthernet0/11
tunnel destination 192.168.5.3
!
interface FastEthernet0/11
description OSPF LAN Connection to 2691 Router
no switchport
ip address 192.168.5.2 255.255.255.254
ip ospf hello-interval 40
crypto map MYVPN
router ospf 1
router-id 3.4.4.4
log-adjacency-changes
area 10 virtual-link 10.4.4.1
passive-interface Vlan10
passive-interface Vlan20
network 3.4.4.4 0.0.0.0 area 0
network 10.0.0.0 0.255.255.255 area 0
network 192.168.4.0 0.0.0.255 area 10
network 192.168.5.0 0.0.0.255 area 0
network 192.168.10.0 0.0.0.255 area 0
network 192.168.20.0 0.0.0.255 area 0
network 192.168.30.0 0.0.0.255 area 0
network 192.168.98.0 0.0.0.255 area 0
network 192.168.99.0 0.0.0.255 area 0
ip access-list extended MP
permit gre host 192.168.5.2 host 192.168.5.3 log
this is th eother side.
thanks
mahesh
12-24-2012 09:19 AM
It's all right with proxy acl, i didn't pay anough attention to config you provided first time). To me config on both sites seems fine. How often do u see those logs?
12-24-2012 09:26 AM
Hi Andrew,
Every one min on 2691 router.
Dec 24 10:09:28.358 MST: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /192.168.5.3, src_addr= 192.168.5.2, prot= 47
Dec 24 10:10:28.360 MST: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /192.168.5.3, src_addr= 192.168.5.2, prot= 47
Dec 24 10:11:28.363 MST: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /192.168.5.3, src_addr= 192.168.5.2, prot= 47
Dec 24 10:12:28.366 MST: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /192.168.5.3, src_addr= 192.168.5.2, prot= 47
Dec 24 10:13:38.365 MST: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /192.168.5.3, src_addr= 192.168.5.2, prot= 47
Dec 24 10:14:38.367 MST: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /192.168.5.3, src_addr= 192.168.5.2, prot= 47
Dec 24 10:15:38.369 MST: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /192.168.5.3, src_addr= 192.168.5.2, prot= 47
Dec 24 10:16:38.372 MST: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /192.168.5.3, src_addr= 192.168.5.2, prot= 47
Dec 24 10:17:48.371 MST: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /192.168.5.3, src_addr= 192.168.5.2, prot= 47
Dec 24 10:18:48.373 MST: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /192.168.5.3, src_addr= 192.168.5.2, prot= 47
Dec 24 10:19:48.376 MST: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /192.168.5.3, src_addr= 192.168.5.2, prot= 47
Dec 24 10:20:48.378 MST: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /192.168.5.3, src_addr= 192.168.5.2, prot= 47
Dec 24 10:21:58.377 MST: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /192.168.5.3, src_addr= 192.168.5.2, prot= 47
Dec 24 10:22:58.380 MST: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /192.168.5.3, src_addr= 192.168.5.2, prot= 47
Dec 24 10:23:58.382 MST: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /192.168.5.3, src_addr= 192.168.5.2, prot= 47
2691Router#
Also when i enable IPSEc between two tunnels my ospf nei for tunnel goes down is this normal behaviour?
Thanks
Mahesh
12-24-2012 11:42 AM
In order to make your ospf ajacency active when secure tunnel is up u have to
on 2691:
delete this statements from ospf config:
-network 192.168.5.0 0.0.0.255 area 0, which refers to real interfaces IPs
and replace them with
-network 10.0.0.0 0.255.255.255 area 0, wich refers to tunnel interfaces IPs.
on 3550:
-just delete 192.168.5.0 0.0.0.255 area 0
from ospf config.
OSPF adj should be made between tunnel ip addresses.
12-25-2012 11:59 AM
Hi Andrew,
I did as you said what after doing that
2691 has no ospf nei adj to 3550
On 3550 when i do sh ip route it does not show any ospf routes.
IT has static route only.
Thanks
MAhesh
Message was edited by: mahesh parmar
12-27-2012 10:12 AM
Hi Andrew,
I tried number of times to make OSPF adj with Tunnel interfaces but no luck.
Thanks
Mahesh
12-27-2012 10:02 PM
If you did what i said in the previos post, to me your config seems fine. But, probably, i'm missing something)) Try it without ipsec. Just GRE. And see what will happen. Plus, about IPSec, it's better practice to use VTI interfaces then just regular GRE over IPSec.
So, for now, just try it without securing your tunnel (remove crypto map statements from interfaces configs).
12-28-2012 12:53 AM
the reason you get that message because the tunnel is not protected, it's true that the GRE tunnel was established but it is not protected, you can create an ipsec profile then apply the transform set to that profile, after that you can apply the ipsec profile to the tunnel using the tunnel protection command,
R1(config)# crypto ipsec transform-set TRANS-SET esp-3des esp-md5-hmac
R1(cfg-crypto-trans)# mode transport
R1(config)# crypto ipsec profile ipsec-prof
R1(ipsec-profile)# set transform-set TRANS-SET
R1(config)# interface Tunnel 0
R1(config-if)# tunnel protection ipsec profile ipsec-prof
By applying above commands, you will have a GRE over IPSEC, not just plain GRE tunnel and that should get rid of the error message you are having or you can apply the crypto map to the tunnel interface as well.
12-28-2012 01:03 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide