Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
849
Views
5
Helpful
4
Replies

Site to mutli site IPSec VPN Connection

Attiq
Level 1
Level 1

‎12-17-2015 05:03 AM - edited ‎02-21-2020 08:35 PM

Hi all,

I am preparing test lab environment before the implementation on real site to multisite IPsec VPN but here is problem which i'm facing while configuring multi-site IPsec VPN.

The scenario is:

R1==>R2

R1==>R3

assume R1 is our HQ router and R2,R3 our two branch sites. the IPsec vpn connection between R1 to R2 is established but R1 to R3 connection is not establishing, it stuck in DOWN-NEGOTIATING state. while I tried forcefully reach R1 from R2 router then I got this error message ( *Dec 17 15:56:16.399: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.
        (ip) vrf/dest_addr= /1.1.1.1, src_addr= 1.1.1.3, prot= 17 )

please see the topology attachment file and configuration files of each router.

i'll appreciate your consideration.

Thank You.

Labels:
Preview file
2 KB
Preview file
2 KB
Preview file
3 KB
Preview file
37 KB
0 Helpful
4 Replies 4

rvarelac
Level 7
Level 7

‎12-17-2015 04:10 PM

Hi Muhammad

I would try to remove the "permit ip any any " from the crypto ACL on R1 and R3. 

Are you testing with real gear or with GNS3 ? 

Hope it helps

-Randy-

0 Helpful

Attiq
Level 1
Level 1
In response to rvarelac

‎12-19-2015 05:16 AM

Dear @rvarelac,

thank you for your reply,

as per your instruction to remove *permit ip any any* from crypto ACL on R1 and R3, I did it but still they're not establishing VPN connection. but this time when I tried to ping R3 to R1 then I get this error message on R1 "" %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.
        (ip) vrf/dest_addr= /1.1.1.1, src_addr= 1.1.1.3, prot= 1""""

I'm just testing before the implementation on HQ and branch offices.

kindly suggest me what I do and I'm testing this scenario on GNS3 1.3.0

0 Helpful

rvarelac
Level 7
Level 7
In response to Attiq

‎12-20-2015 10:31 AM

Hi Muhammad, 

The configuration looks fine on both ends. 

R1

crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2

crypto isakmp key ycisco address 1.1.1.3

Crypto map cmap 2 ipsec-isakmp
set peer 1.1.1.3
set transform-set yts
match address yacl

crypto ipsec transform-set yts esp-3des esp-md5-hmac


ip access-list extended yacl
permit ip 192.168.0.0 0.0.0.255 192.168.105.0 0.0.0.255



-----------------------------------------------------------------

R3

crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key ycisco address 1.1.1.1

crypto map cmap 2 ipsec-isakmp
set peer 1.1.1.1
set transform-set yts
match address hqacl


crypto ipsec transform-set yts esp-3des esp-md5-hma

ip access-list extended hqacl
permit ip 192.168.105.0 0.0.0.255 192.168.0.0 0.0.0.255

The error you are getting is  cause by a mismatch on the crypto ACL or because one of the ends is not encrypting correctly,  in your case the ACL is correct, looks like this could be GNS3 thing.

Hope it helps

-Randy-

0 Helpful

Attiq
Level 1
Level 1
In response to rvarelac

‎12-24-2015 12:36 AM

Hi rvarelac  

thank you for your corporation.

it was gns3 problem and all configuration looks fine.

finally I'm configuring IPsec DMVPN with HQ and branch offices.

          

Hub==>Spoke1 and spoke2 terminology

Usman

Customers Also Viewed These Support Documents