ā05-11-2012 07:11 AM - edited ā02-21-2020 06:03 PM
Hi Everyone.
I was making some changes in routers and after I rolled back configuration a gre tunnel won't work. It's GRE Tunnel between a Cisco 7600 and Cisco 2851.
It seems like 7600 sent packets unencrypted.
On C2851 is received this message:
%CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.
(ip) vrf/dest_addr= /10.0.0.10, src_addr= 10.0.0.18, prot= 47
Could you check configuration attached and give any advise.
Thank you.
ā05-11-2012 12:31 PM
Please change your ACL data type to IP instead of GRE on both ACL below.
ip access-list extended acl_crypto_KS_pronet
permit gre host 10.0.0.18 host 10.0.0.10
ip access-list extended acl_crypto_HO_pronet
permit gre host 10.0.0.10 host 10.0.0.18
your authentication is not pre-share ?
crypto isakmp policy 32
encr aes 192
authentication rsa-encr
group 2
ā05-13-2012 11:54 PM
Thank you for you response it doesn't work. I wanted to say that it has worked before and yes it is not preshare.
ā05-14-2012 12:59 AM
I went through the configuration and think all required components are in there.
I would say that we should check routing.
Error message means that packet recieved as per local policy should have been a IPSEC encrypted packet however it was a plain text packet.
going further:
* Please check if tunnel is up and share show crypto ipsec sa from either end.
* please check if the packets leaving other end are taking right exit interface and if yes are they encrypted or not. you can check this with the help of ACL (disabling CEF if this is not into production and there is no MPLS link involved).
ā05-14-2012 01:28 AM
Your config looks good.
If you're getting unencrypted packets on the 2800. that means something is wrong on the cat7k. Is the peer reached via the crypto connect vlan? Can you check that?
Cheers,
ā05-14-2012 01:31 AM
Hi Everybody.
Thank you for taking your time.
I solved the problem by hardware reset to cisco 7600.
I didn't want to do that but like Microsoft and Cisco need a Reload.
ā05-14-2012 01:56 AM
Wierd - A reload should never be necessary. Anyway... if it's fixed then it's fixed :-)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide