05-20-2014 10:17 AM
This is setup on two Cisco 3900 series routers. When I try to ping from a laptop I get the error:
%CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC pa
cket. (ip) vrf/dest_addr= /10.1.11.2, src_addr= 172.2.1.2, prot= 1
On routerA. Any help would be appreciated.
------------------
Router A
------------------
crypto isakmp policy 10
encr aes 256
hash sha256
authentication pre-share
group 14
!
crypto isakmp key testkey address 172.2.1.2
!
crypto ipsec transform-set Test-Set ah-sha256-hmac esp-aes 256 esp-sha256-hmac
!
crypto map TestPeers 40 ipsec-isakmp
description VPN to RouterB
set peer 172.2.1.2
set transform-set Test-Set
match address 104
!
interface Loopback1
ip address 192.168.11.11 255.255.255.0
!
interface GigabitEthernet0/1
ip address 10.1.11.2 255.255.255.0
no shutdown
!
interface GigabitEthernet0/0
description RouterA to WAN
ip address 172.2.1.1 255.255.255.0
crypto map TestPeers
crypto ipsec df-bit clear
!
ip route 0.0.0.0 0.0.0.0 172.2.1.2
!
access-list 104 remark src-dest pairs for RouterA to RouterB
access-list 104 permit ip 10.1.11.0 0.0.0.255 172.2.1.0 0.0.0.255
############################################################################
---------------
Router B
---------------
crypto isakmp policy 10
encr aes 256
hash sha256
authentication pre-share
group 14
!
crypto isakmp key testkey address 172.2.1.1
!
crypto ipsec transform-set Test-Set ah-sha256-hmac esp-aes 256 esp-sha256-hmac
!
crypto map TestPeers 10 ipsec-isakmp
description VPN to RouterA
set peer 172.2.1.1
set transform-set Test-Set
match address 101
!
interface GigabitEthernet0/1
ip address 10.2.11.1 255.255.255.0
no shutdown
!
interface GigabitEthernet0/0
description RouterB to WAN
ip address 172.2.1.2 255.255.255.0
crypto map TestPeers
crypto ipsec df-bit clear
!
ip route 0.0.0.0 0.0.0.0 172.2.1.1
!
access-list 101 remark src-dest pairs for RouterB to RouterA
access-list 101 permit ip 10.2.11.0 0.0.0.255 172.2.1.0 0.0.0.255
access-list 101 permit ip 10.2.11.0 0.0.0.255 192.168.11.0 0.0.0.255
Solved! Go to Solution.
05-20-2014 05:17 PM
Hi,
Sorry for inconvenience given , i have given wrong network subnet on the acl ,it must be 10.2.11.0/24
Router A
access-list 104 remark src-dest pairs for RouterA to RouterBno access-list 104 permit ip 10.1.11.0 0.0.0.255 10.2.1.0 0.0.0.255
access-list 104 permit ip 10.1.11.0 0.0.0.255 10.2.11.0 0.0.0.255
HTH
Sandy
05-20-2014 10:40 AM
Hi ,
modify your crypto access-list ,
Router A
access-list 104 remark src-dest pairs for RouterA to RouterB
access-list 104 permit ip 10.1.11.0 0.0.0.255 10.2.1.0 0.0.0.255
Router B
access-list 101 remark src-dest pairs for RouterB to RouterA
access-list 101 permit ip 10.2.11.0 0.0.0.255 10.1.11.0 0.0.0.255
HTH
sandy
05-20-2014 01:21 PM
Sandy thank you for the reply. Changing that did allow the tunnel to build but now I am getting
%CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /10.2.11.2, src_addr= 10.1.11.1, prot= 1
on routerB, when I try to generate traffic to one of the laptops. So there is still and issue somewhere.
05-20-2014 05:17 PM
Hi,
Sorry for inconvenience given , i have given wrong network subnet on the acl ,it must be 10.2.11.0/24
Router A
access-list 104 remark src-dest pairs for RouterA to RouterBno access-list 104 permit ip 10.1.11.0 0.0.0.255 10.2.1.0 0.0.0.255
access-list 104 permit ip 10.1.11.0 0.0.0.255 10.2.11.0 0.0.0.255
HTH
Sandy
05-21-2014 06:10 AM
Sandy,
Thank you very much. I should have caught that.
Joe
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide