2811 won't encrypt packets

Unanswered Question
Jan 11th, 2008
User Badges:

I am trying to bring up a tunnel between my older 2811 and my new ISR 2811. The tunnel shows QM_IDLE with a sho cry isa sa on both devices but I can't ping across the /30 that I assigned to the tunnel interface and sho ip eigrp neigh doesn't show them as neighbors. I have 10 or so tunnels just like this on the older 2811 but this is the first attempt using the newer ISR 2811. I am using firmware version 12.4(15)T1 (C2800NM-ADVIPSERVICESK9-M). When I do a sho cry eng conn active I see decrypts but 0 encrypts. Help..

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Danilo Dy Fri, 01/11/2008 - 21:37
User Badges:
  • Blue, 1500 points or more

Hi,


Make sure that the VPN ACL is symmetric.

Router-A VPN ACL

Source: Network-A

Destination: Network-B

Router-B ACL

Source: Network-B

Destination: Network-A


Enable this debug in both router and post the output here (check the clock if correct before turning debug on).

Router# debug crypto isakmp

Router# debug crypto isakmp error

Router# debug crypto ipsec

Router# debug crypto pki


Do you have ACL in the interface of VPN Gateway? i.e. "ip access-group ACL# in/out". This ACL should not only include VPN Gateways but also networks permit to travel thru VPN tunnel.


Regards,

Dandy

cirrushelpdesk Mon, 01/14/2008 - 08:43
User Badges:

from the vpn gateway

access-list 180 permit gre host xxx.xxx.3.70 host 64.209.111.130

from the 2811 ISR

access-list 180 permit gre host 64.209.111.130 host xxx.xxx.3.70

I have a blanket statement to let all VPN related traffic through on my outside facing interface on the vpn gateway both ways. I don't have an ACL yet on the interface on the 2811ISR. This is all I get from the debugs, on the 2811

Jan 14 10:40:32: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.

(ip) vrf/dest_addr= /141.131.3.70, src_addr= 64.209.111.130, prot= 47

on the 2811ISR

Jan 14 16:40:48.231: IPSEC(recalculate_mtu): reset sadb_root 47E1CC6C mtu to 1440

Jan 14 16:40:48.231: IPSEC(recalculate_mtu): reset sadb_root 47E1CC6C mtu to 1440

Jan 14 16:40:58.232: IPSEC(recalculate_mtu): reset sadb_root 47E1CC6C mtu to 1440

Jan 14 16:40:58.232: IPSEC(recalculate_mtu): reset sadb_root 47E1CC6C mtu to 1440

Jan 14 16:41:08.232: IPSEC(recalculate_mtu): reset sadb_root 47E1CC6C mtu to 1440

Jan 14 16:41:08.232: IPSEC(recalculate_mtu): reset sadb_root 47E1CC6C mtu to 1440

Jan 14 16:41:18.232: IPSEC(recalculate_mtu): reset sadb_root 47E1CC6C mtu to 1440

Jan 14 16:41:18.232: IPSEC(recalculate_mtu): reset sadb_root 47E1CC6C mtu to 1440

Jan 14 16:41:28.233: IPSEC(recalculate_mtu): reset sadb_root 47E1CC6C mtu to 1440

Jan 14 16:41:28.233: IPSEC(recalculate_mtu): reset sadb_root 47E1CC6C mtu to 1440

Jan 14 16:41:38.233: IPSEC(recalculate_mtu): reset sadb_root 47E1CC6C mtu to 1440

Jan 14 16:41:38.233: IPSEC(recalculate_mtu): reset sadb_root 47E1CC6C mtu to 1440

Actions

This Discussion