09-29-2010 07:16 PM
Hi All
Setup is as follows
c1841-advsecurityk9-mz.124-16.bin
Clients PC on Win 7 PPTP connection to a Public IP -----> Cisco 1841 onsite---->Internet
Client gets error 619. Now, client does have a site to site vpn configured on router to connect to a different customer and thats working fine.
When we dial pptp connection using windows 7, on cisco router I get
%CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.
(ip) vrf/dest_addr= /<Router's Wan IP>, src_addr= <Public IP of destination>, prot= 47
Destination in question is not cisco and doesnt use ipsec. It works if i use my wifi 3g card so destination is not an issue
Win7 Firewall is disabled (FYI)
interface Dialer0
description SHDSL Primary Dialer
ip address negotiated
ip nat outside
ip nat enable
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer idle-timeout 2147483
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname ...
ppp chap password ...
crypto map VPN
ip nat source list 100 interface Dialer0 overload
access-list 100 deny ip 192.168.0.0 0.0.0.255 host <Wan IP of different customer>
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
access-list 100 permit gre any any
access-list 100 permit tcp any any eq 1723
access-list 120 permit ip 192.168.0.0 0.0.0.255 host <Wan IP of different customer>
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
!
crypto isakmp policy 10
encr 3des
authentication pre-share
lifetime 86000
!
crypto isakmp policy 20
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp key sharedkey address <Wan IP of different customer>
crypto ipsec transform-set Pactolus-cc esp-3des esp-sha-hmac
crypto map VPN 20 ipsec-isakmp
set peer <Wan IP of different customer>
set transform-set Pactolus-cc
set pfs group2
match address 120
Since acl 120 is precisely for a source destination, I should be able to receive non ipsec packets on device.
Any clue/suggestions appreciated.
12-19-2010 08:36 PM
I havent seen your config yet but you should remove it asap from here. you have provided all the password information in there
and please change all your passwords as well
12-19-2010 08:52 PM
as i mentioned earlier you config has an acl to match all gre traffic and then tunnel it.
Windows pptp vpn using tcp/1723 and the gre (ip/47).
so make your acls precise as per reqquirement.
12-19-2010 09:40 PM
Ok Aman but we have set these ACLs that allow this traffic.
12-19-2010 09:41 PM
please make it specific. as in specify based on destination may be.
12-23-2010 12:35 PM
Hello Aman
Perform the configuration that tells me, and did not get good results.
access lists to enter were:
access-list 101 permit tcp host and Stock [Server-IP] eq 1723log
access-list 101 permit gre host and Stock [Server-IP] log
access-list 101 permit tcp host and Stock [Server-IP] eq 47 log
access-list 101 permit tcp host and Stock [Server-IP] eq 1701 log
access-list 101 permit udp host and Stock [Server-IP] eq isakmp log
access-list 101 permit esp host and Stock [Server-IP]
access-list 101 permit ahp host and Stock [Server-IP]
access-list 101 permit ip any any
Also remove all ACL that is permitted all the traffic and I still have the same problem, I suggest something? another deployment eg
Greetings
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide