Re: IPSec + GRE + OSPF (err: packet received no encrypted)

hannyong · ‎08-11-2004

Need help,

I've got 2 routers connected back to back through serial port and I've enabled OSPF throughout all interfaces. 1 loopback interface, and 1 tunnel interface on each router. Without the crypto map command, I can see the ospf forming adjencies with the other router. Once I put in crypto map onto the serial, tunnel and Fastethernet, i see an error popping up, stating that destination(224.0.0.5) ospf multicast packets received are not encrypted.

I've already put permit ip any any and permit ip ospf any any into my match address ACL. Anyone with any suggestions why is ospf multicast not being encrypted in the tunnel?

Once I take out the cryptomap, ospf works again.

Using IOS 12.2(17).

Thanks

Hann yong

Steve Fuller · ‎08-12-2004

Cisco IOS does not pass IP multicast traffic through the encryption process on egress, but does so on ingress, hence the problem.

We had the same issue, albeit using EIGRP, and we changed the ACL to be as follows:

!

ip access-list extended ACL-NAME

deny ip 224.0.0.0 15.255.255.255 any

permit ip any any

!

While this overcomes the problem you mention here it does mean that your OSPF traffic will not be encrypted.

If you're using GRE, why not establish the OSPF adjacency over the GRE tunnel and then use an ACL to encrypt the GRE traffic as follows:

!

ip access-list extended ACL-NAME

permit gre host 192.168.1.1 host 192.168.1.2

!

Regards