Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

IKEpacket from x.x.x.x was not encrypted and it should have been

New to the group and I do have a situation that I hope someone can help me with. I am trying to set up a lab for one of my courses and I am using XP with Cisco VPN Client 5.0.0.3, a Cisco 2621XM router and Cisco Secure ACS version 4.2 configured for RADIUS.

My problem is this, when I open the VPN client and click connect I get the following message back.

*Mar 1 01:21:49.935: %CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from 11.11.11.14 was not encrypted and it should've been. The packet is not getting past the router so I cannot even see if the ACS is working.

I have searched high and low and have not been able to find an answer to the problem. Can someone here give me a hand?

4 REPLIES

Re: IKEpacket from x.x.x.x was not encrypted and it should have

Please post your config.

New Member

Re: IKEpacket from x.x.x.x was not encrypted and it should have

I used the configuration from an example from the Cisco website. I will post it here. I also followed the setup outlined in the example for the ACS but it doesn't seem to get that far. Thanks for the help.

!--- Enable AAA for user authentication and group authorization.

aaa new-model

!

!--- In order to enable extended authentication (Xauth) for user authentication,

!--- enable the aaa authentication commands.

!--- "Group radius" specifies RADIUS user authentication.

aaa authentication login userauthen group radius

!--- In order to enable group authorization,

!--- enable the aaa authorization commands.

aaa authorization network groupauthor group radius

!

!

ip subnet-zero

ip audit po max-events 100

!

!--- Create an Internet Security Association and

!--- Key Management Protocol (ISAKMP) policy for Phase 1 negotiations.

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

!

!

!--- Create the Phase 2 policy for actual data encryption.

crypto ipsec transform-set myset esp-3des esp-sha-hmac

!

!--- Create a dynamic map and

!--- apply the transform set that was created.

crypto dynamic-map dynmap 10

set transform-set myset

!

!--- Create the actual crypto map,

!--- and apply the AAA lists that were created earlier.

crypto map clientmap client authentication list userauthen

crypto map clientmap isakmp authorization list groupauthor

crypto map clientmap client configuration address respond

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

!

!

fax interface-type fax-mail

mta receive maximum-recipients 0

!

!

!

!--- Apply the crypto map on the outside interface.

interface Ethernet0/0

ip address 10.1.1.1 255.255.255.0

half-duplex

crypto map clientmap

!

interface Serial0/0

no ip address

shutdown

!

interface Ethernet0/1

ip address 172.18.124.159 255.255.255.0

no keepalive

half-duplex

!

!--- Create a pool of addresses to be assigned

to the VPN Clients.

ip local pool ippool 10.16.20.1 10.16.20.200

ip classless

ip route 0.0.0.0 0.0.0.0 10.1.1.2

ip http server

ip pim bidir-enable

!

!--- Specify the IP address of the RADIUS server,

!--- along with the RADIUS shared secret key.

radius-server host 172.18.124.96 auth-port 1645 acct-port 1646 key cisco123

radius-server retransmit 3

call rsvp-sync

Re: IKEpacket from x.x.x.x was not encrypted and it should have

Perhaps you should establish a working configuration with local authentication and authorization, and then migrate to RADIUS.

If you agree, you might try this first:

aaa new-model

aaa authentication login userauthen local

aaa authorization network groupauthor local

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

crypto isakmp client configuration address-pool local ippool

crypto isakmp client configuration group psk-grp

key cisco123

pool ippool

acl 101

crypto isakmp profile psk-prof

match identity group psk-grp

client authentication list userauthen

isakmp authorization list groupauthor

client configuration address respond

crypto ipsec transform-set myset esp-3des esp-sha-hmac

crypto dynamic-map dynmap 10

set transform-set myset

set isakmp-profile psk-prof

reverse-route

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

interface Ethernet0/0

crypto map clientmap

ip local pool ippool 10.16.20.1 10.16.20.200

access-list 101 remark --- Split tunneling for VPN client.

access-list 101 permit ip 172.18.124.0 0.0.0.255 10.16.20.0 0.0.0.255

New Member

Re: IKEpacket from x.x.x.x was not encrypted and it should have

Thanks for the reply. I did have it working with AAA local and wanted to move on to the ACS. Do you think I should continue on with RADIUS or go over to TACACS+?

2185
Views
0
Helpful
4
Replies
CreatePlease to create content