%CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet

mahesh18 · ‎12-23-2012

Hi Everyone,

I have GRE over IPSEC tunnel between 2691 and 3550.

2691 connects to Internet and do the Natting.

Tunnel seems to be up up and working fine but on 2691 i am seeing these in logs

Dec 23 10:07:27.580 MST: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /192.168.5.3, src_addr= 192.168.5.2, prot= 47

Dec 23 10:08:05.957 MST: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: mintoo] [Source: 192.168.5.2] [localport: 23] at 10:08:05 MST Sun Dec 23 2012

Dec 23 10:08:27.582 MST: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /192.168.5.3, src_addr= 192.168.5.2, prot= 47

Dec 23 10:09:27.585 MST: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /192.168.5.3, src_addr= 192.168.5.2, prot= 47

2691Router# sh crypto isakmp sa

dst src state conn-id slot status

192.168.5.2 192.168.5.3 QM_IDLE 38 0 ACTIVE

2691Router# sh cry

2691Router# sh crypto ipsec sa

interface: FastEthernet0/1

Crypto map tag: MYVPN, local addr 192.168.5.3

protected vrf: (none)

local ident (addr/mask/prot/port): (192.168.5.3/255.255.255.255/47/0)

remote ident (addr/mask/prot/port): (192.168.5.2/255.255.255.255/47/0)

current_peer 192.168.5.2 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 3646, #pkts encrypt: 3646, #pkts digest: 3646

#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 1, #recv errors 0

local crypto endpt.: 192.168.5.3, remote crypto endpt.: 192.168.5.2

path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1

current outbound spi: 0x28553A1D(676674077)

inbound esp sas:

spi: 0x2BD49D31(735354161)

transform: esp-des esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 2002, flow_id: AIM-VPN/EPII:2, crypto map: MYVPN

sa timing: remaining key lifetime (k/sec): (4449766/1872)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x28553A1D(676674077)

transform: esp-des esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 2001, flow_id: AIM-VPN/EPII:1, crypto map: MYVPN

sa timing: remaining key lifetime (k/sec): (4449739/1872)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

outbound ah sas:

outbound pcp sas:

How can i fix the log on 2691 router .

Also how can i tell which side is doing encryption and which not ?

Many thanks

MAhesh

olpeleri · ‎12-24-2012

Dec 23 10:09:27.585 MST: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /192.168.5.3, src_addr= 192.168.5.2, prot= 47

That means the remote device is bypassing encryption and sends GRE in clear. Can you show the configs of the device with the IP 192.168.5.3?

Cheers,

mahesh18 · ‎12-24-2012

Hi olpeleri,

Thanks for reply

here is config of device with 192.168.5.3

Current configuration : 9257 bytes

!

! Last configuration change at 14:33:15 MST Sun Dec 23 2012 by mintoo

! NVRAM config last updated at 14:18:18 MST Sun Dec 23 2012 by mintoo

!

version 12.4

service nagle

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service internal

!

hostname 2691Router

!

boot-start-marker

boot-end-marker

!

no logging exception

logging count

logging buffered 4096 informational

enable secret level 5 5 $1$EC0J$upgsksyfc5JJ/ree2A9BO0

enable secret 5 $1$Z9E.$rWrUh71AcmeDMxFDsrZVl0

!

no aaa new-model

clock timezone MST -7

clock summer-time MST recurring

no network-clock-participate slot 1

no ip icmp rate-limit unreachable

ip cef

!

ip host 3550SMIA 192.168.5.2

ip host 3550SMIB 192.168.10.2

ip host 2950T 192.168.10.5

ip host 2650XM 192.168.4.3

ip name-server 64.59.144.18

ip auth-proxy max-nodata-conns 3

login on-failure log

login on-success log

!

ipv6 unicast-routing

!

archive

log config

hidekeys

path slot0:/configs/$h

write-memory

time-period 1440

!

ip ssh port 2009 rotary 1

!

crypto isakmp policy 100

encr aes

authentication pre-share

group 2

crypto isakmp key cagary address 192.168.5.2 no-xauth

!

crypto ipsec transform-set DEMO1 esp-des esp-sha-hmac

!

crypto map MYVPN 100 ipsec-isakmp

set peer 192.168.5.2

set transform-set DEMO1

match address MP

!

buffers tune automatic

!

interface Loopback2

description IBGP neighbour to Router 3550B

ip address 2.2.2.2 255.255.255.0

!

interface Loopback3

description IBGP neighbour to Router R4

ip address 3.3.3.3 255.255.255.0

!

interface Loopback4

ip address 4.4.4.4 255.255.255.0

!

interface Loopback33

description IPV6 OSPF LAB

no ip address

ipv6 address FEC0:4::4/64

ipv6 enable

ipv6 ospf 110 area 100

!

interface Loopback133

description IPV6 OSPF LAB

no ip address

ipv6 address FEC0:1::1/64

ipv6 enable

ipv6 ospf 100 area 101

!

interface Tunnel0

ip address 10.5.1.2 255.0.0.0

tunnel source FastEthernet0/1

tunnel destination 192.168.5.2

!

interface FastEthernet0/0

description WAN Connection to ISP modem

ip address dhcp

no ip redirects

no ip unreachables

ip accounting output-packets

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

interface Serial0/0

description Serial connection to 2650 on interface se/0/0

ip address 192.168.1.1 255.255.255.0

encapsulation frame-relay

ip ospf network point-to-multipoint

no keepalive

!

interface FastEthernet0/1

description Lan Connection to 3550A Switch

ip address 192.168.5.3 255.255.255.254

ip flow ingress

ip nat inside

ip virtual-reassembly

ip ospf hello-interval 40

ip ospf priority 10

duplex auto

speed auto

crypto map MYVPN

!

interface FastEthernet1/0

description Lan Connection to 3550B Switch

ip address 192.168.6.3 255.255.255.254

ip flow ingress

ip nat inside

ip virtual-reassembly

ip ospf authentication

ip ospf authentication-key 7 05080F1C2243

ip ospf hello-interval 40

ip ospf priority 10

duplex auto

speed auto

!

interface Serial1/0

description Serial connection to 2650 on interface se0/1

ip address 192.168.2.1 255.255.255.0

no keepalive

serial restart-delay 0

!

interface FastEthernet1/1

router ospf 1

router-id 4.4.4.4

log-adjacency-changes

redistribute static metric 300 subnets

passive-interface Serial0/0

passive-interface Serial1/1

network 3.3.3.3 0.0.0.0 area 0

network 4.4.4.4 0.0.0.0 area 0

network 192.168.1.0 0.0.0.255 area 0

network 192.168.2.0 0.0.0.255 area 0

network 192.168.5.0 0.0.0.255 area 0

network 192.168.6.0 0.0.0.255 area 0

default-information originate

ip nat translation timeout 3600

ip nat inside source list 101 interface FastEthernet0/0 overload

!

ip access-list extended MP

permit gre host 192.168.5.3 host 192.168.5.2 log

!

logging trap debugging

logging 192.168.20.9

access-list 101 permit ip 192.168.0.0 0.0.255.255 any

hope this helps

thanks

mahesh

Andrew Phirsov · ‎12-24-2012

Probably the problem has something to do with different config of proxy-ACL on peers. Maybe it'll help if you simplify crypto-acl on both peers this way: access-list 101 permit gre any any

mahesh18 · ‎12-24-2012

Hi Andrew.

Can you please let me know how can i do different config of proxy ACL on peers?

thanks

mahesh

olpeleri · ‎12-24-2012

This side looks good. How the other side looks like?

mahesh18 · ‎12-24-2012

!

Hi olpeleri,

Here is config from other side

crypto isakmp policy 100

encr aes

authentication pre-share

group 2

crypto isakmp key cagary address 192.168.5.3 no-xauth

!

crypto ipsec transform-set DEMO1 esp-des esp-sha-hmac

!

crypto map MYVPN 100 ipsec-isakmp

set peer 192.168.5.3

set transform-set DEMO1

match address MP

!

interface Tunnel0

ip address 10.5.1.1 255.0.0.0

tunnel source FastEthernet0/11

tunnel destination 192.168.5.3

!

interface FastEthernet0/11

description OSPF LAN Connection to 2691 Router

no switchport

ip address 192.168.5.2 255.255.255.254

ip ospf hello-interval 40

crypto map MYVPN

router ospf 1

router-id 3.4.4.4

log-adjacency-changes

area 10 virtual-link 10.4.4.1

passive-interface Vlan10

passive-interface Vlan20

network 3.4.4.4 0.0.0.0 area 0

network 10.0.0.0 0.255.255.255 area 0

network 192.168.4.0 0.0.0.255 area 10

network 192.168.5.0 0.0.0.255 area 0

network 192.168.10.0 0.0.0.255 area 0

network 192.168.20.0 0.0.0.255 area 0

network 192.168.30.0 0.0.0.255 area 0

network 192.168.98.0 0.0.0.255 area 0

network 192.168.99.0 0.0.0.255 area 0

ip access-list extended MP

permit gre host 192.168.5.2 host 192.168.5.3 log

this is th eother side.

thanks

mahesh

Andrew Phirsov · ‎12-24-2012

It's all right with proxy acl, i didn't pay anough attention to config you provided first time). To me config on both sites seems fine. How often do u see those logs?

mahesh18 · ‎12-24-2012

Hi Andrew,

Every one min on 2691 router.

Dec 24 10:09:28.358 MST: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /192.168.5.3, src_addr= 192.168.5.2, prot= 47

Dec 24 10:10:28.360 MST: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /192.168.5.3, src_addr= 192.168.5.2, prot= 47

Dec 24 10:11:28.363 MST: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /192.168.5.3, src_addr= 192.168.5.2, prot= 47

Dec 24 10:12:28.366 MST: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /192.168.5.3, src_addr= 192.168.5.2, prot= 47

Dec 24 10:13:38.365 MST: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /192.168.5.3, src_addr= 192.168.5.2, prot= 47

Dec 24 10:14:38.367 MST: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /192.168.5.3, src_addr= 192.168.5.2, prot= 47

Dec 24 10:15:38.369 MST: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /192.168.5.3, src_addr= 192.168.5.2, prot= 47

Dec 24 10:16:38.372 MST: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /192.168.5.3, src_addr= 192.168.5.2, prot= 47

Dec 24 10:17:48.371 MST: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /192.168.5.3, src_addr= 192.168.5.2, prot= 47

Dec 24 10:18:48.373 MST: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /192.168.5.3, src_addr= 192.168.5.2, prot= 47

Dec 24 10:19:48.376 MST: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /192.168.5.3, src_addr= 192.168.5.2, prot= 47

Dec 24 10:20:48.378 MST: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /192.168.5.3, src_addr= 192.168.5.2, prot= 47

Dec 24 10:21:58.377 MST: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /192.168.5.3, src_addr= 192.168.5.2, prot= 47

Dec 24 10:22:58.380 MST: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /192.168.5.3, src_addr= 192.168.5.2, prot= 47

Dec 24 10:23:58.382 MST: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /192.168.5.3, src_addr= 192.168.5.2, prot= 47

2691Router#

Also when i enable IPSEc between two tunnels my ospf nei for tunnel goes down is this normal behaviour?

Thanks

Mahesh

Andrew Phirsov · ‎12-24-2012

In order to make your ospf ajacency active when secure tunnel is up u have to

on 2691:

delete this statements from ospf config:

-network 192.168.5.0 0.0.0.255 area 0, which refers to real interfaces IPs

and replace them with

-network 10.0.0.0 0.255.255.255 area 0, wich refers to tunnel interfaces IPs.

on 3550:

-just delete 192.168.5.0 0.0.0.255 area 0

from ospf config.

OSPF adj should be made between tunnel ip addresses.

mahesh18 · ‎12-25-2012

Hi Andrew,

I did as you said what after doing that

2691 has no ospf nei adj to 3550

On 3550 when i do sh ip route it does not show any ospf routes.

IT has static route only.

Thanks

MAhesh

Message was edited by: mahesh parmar

mahesh18 · ‎12-27-2012

Hi Andrew,

I tried number of times to make OSPF adj with Tunnel interfaces but no luck.

Thanks

Mahesh

Andrew Phirsov · ‎12-27-2012

If you did what i said in the previos post, to me your config seems fine. But, probably, i'm missing something)) Try it without ipsec. Just GRE. And see what will happen. Plus, about IPSec, it's better practice to use VTI interfaces then just regular GRE over IPSec.

So, for now, just try it without securing your tunnel (remove crypto map statements from interfaces configs).

Rudy Sanjoko · ‎12-28-2012

the reason you get that message because the tunnel is not protected, it's true that the GRE tunnel was established but it is not protected, you can create an ipsec profile then apply the transform set to that profile, after that you can apply the ipsec profile to the tunnel using the tunnel protection command,

R1(config)# crypto ipsec transform-set TRANS-SET esp-3des esp-md5-hmac

R1(cfg-crypto-trans)# mode transport

R1(config)# crypto ipsec profile ipsec-prof

R1(ipsec-profile)# set transform-set TRANS-SET

R1(config)# interface Tunnel 0

R1(config-if)# tunnel protection ipsec profile ipsec-prof

By applying above commands, you will have a GRE over IPSEC, not just plain GRE tunnel and that should get rid of the error message you are having or you can apply the crypto map to the tunnel interface as well.

Andrew Phirsov · ‎12-28-2012

rudy.sanjoko, you're not correct. His gre tunnel was protected, but using regular crypto-maps (old way). What you suggest is just another implementation of it (new way) but it does the same thing.

To what u suggest i'd add also tunnel mode ipsec ipv4 to reduse overhead.