Solved: Why is this VPN setup not working?

josephsmar1 · ‎05-20-2014

This is setup on two Cisco 3900 series routers. When I try to ping from a laptop I get the error:

%CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC pa
cket. (ip) vrf/dest_addr= /10.1.11.2, src_addr= 172.2.1.2, prot= 1

On routerA. Any help would be appreciated.

------------------
Router A
------------------

crypto isakmp policy 10
encr aes 256
hash sha256
authentication pre-share
group 14
!
crypto isakmp key testkey address 172.2.1.2
!
crypto ipsec transform-set Test-Set ah-sha256-hmac esp-aes 256 esp-sha256-hmac
!
crypto map TestPeers 40 ipsec-isakmp
description VPN to RouterB
set peer 172.2.1.2
set transform-set Test-Set
match address 104
!
interface Loopback1
ip address 192.168.11.11 255.255.255.0
!
interface GigabitEthernet0/1
ip address 10.1.11.2 255.255.255.0
no shutdown
!
interface GigabitEthernet0/0
description RouterA to WAN
ip address 172.2.1.1 255.255.255.0
crypto map TestPeers
crypto ipsec df-bit clear
!
ip route 0.0.0.0 0.0.0.0 172.2.1.2
!
access-list 104 remark src-dest pairs for RouterA to RouterB
access-list 104 permit ip 10.1.11.0 0.0.0.255 172.2.1.0 0.0.0.255

############################################################################

---------------
Router B
---------------

crypto isakmp policy 10
encr aes 256
hash sha256
authentication pre-share
group 14
!
crypto isakmp key testkey address 172.2.1.1
!
crypto ipsec transform-set Test-Set ah-sha256-hmac esp-aes 256 esp-sha256-hmac
!
crypto map TestPeers 10 ipsec-isakmp
description VPN to RouterA
set peer 172.2.1.1
set transform-set Test-Set
match address 101
!
interface GigabitEthernet0/1
ip address 10.2.11.1 255.255.255.0
no shutdown
!
interface GigabitEthernet0/0
description RouterB to WAN
ip address 172.2.1.2 255.255.255.0
crypto map TestPeers
crypto ipsec df-bit clear
!
ip route 0.0.0.0 0.0.0.0 172.2.1.1
!
access-list 101 remark src-dest pairs for RouterB to RouterA
access-list 101 permit ip 10.2.11.0 0.0.0.255 172.2.1.0 0.0.0.255
access-list 101 permit ip 10.2.11.0 0.0.0.255 192.168.11.0 0.0.0.255

SANTHOSHKUMAR SARAVANAN · ‎05-20-2014

Hi,

Sorry for inconvenience given , i have given wrong network subnet on the acl ,it must be 10.2.11.0/24

Router A

access-list 104 remark src-dest pairs for RouterA to RouterB
~~no access-list 104 permit ip 10.1.11.0 0.0.0.255 10.2.1.0 0.0.0.255~~

access-list 104 permit ip 10.1.11.0 0.0.0.255 10.2.11.0 0.0.0.255

HTH

Sandy

View solution in original post

SANTHOSHKUMAR SARAVANAN · ‎05-20-2014

Hi ,

modify your crypto access-list ,

Router A

access-list 104 remark src-dest pairs for RouterA to RouterB
access-list 104 permit ip 10.1.11.0 0.0.0.255 10.2.1.0 0.0.0.255

Router B

access-list 101 remark src-dest pairs for RouterB to RouterA
access-list 101 permit ip 10.2.11.0 0.0.0.255 10.1.11.0 0.0.0.255

HTH

sandy

josephsmar1 · ‎05-20-2014

Sandy thank you for the reply. Changing that did allow the tunnel to build but now I am getting

%CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /10.2.11.2, src_addr= 10.1.11.1, prot= 1

on routerB, when I try to generate traffic to one of the laptops. So there is still and issue somewhere.

SANTHOSHKUMAR SARAVANAN · ‎05-20-2014

Hi,

Sorry for inconvenience given , i have given wrong network subnet on the acl ,it must be 10.2.11.0/24

Router A

access-list 104 remark src-dest pairs for RouterA to RouterB
~~no access-list 104 permit ip 10.1.11.0 0.0.0.255 10.2.1.0 0.0.0.255~~

access-list 104 permit ip 10.1.11.0 0.0.0.255 10.2.11.0 0.0.0.255

HTH

Sandy

josephsmar1 · ‎05-21-2014

Sandy,

Thank you very much. I should have caught that.

Joe