Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

CRYPTO-4-RECVD_PKT_NOT_IPSEC

I configured Dual Hub IPSec with preshared keys over GRE Tunnels.

(1-st tunnel to Hub A, 2-nd tunnel to Hub B)

Tunnel to Hub A is up & down to Hub B. How can I fix it?

.

Follwing messages in log on spoke routers

*Mar 3 20:42:03.631: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC p

acket. (ip) vrf/dest_addr= /172.16.0.26, src_addr= 172.16.0.2, prot= 47

Hub A

Crypto Map "ua" 10 ipsec-isakmp

Peer = 172.16.0.26

Extended IP access list 150

access-list 150 permit gre host 172.16.0.50 host 172.16.0.26

Current peer: 172.16.0.58

Security association lifetime: 4608000 kilobytes/3600 seconds

PFS (Y/N): N

Transform sets={ des, }

Interfaces using crypto map ua:

Serial0/0.200

Hub B

Crypto Map "ua" 10 ipsec-isakmp

Peer = 172.16.0.26

Extended IP access list 150

access-list 150 permit gre host 172.16.0.2 host 172.16.0.26

access-list 150 permit gre host 172.16.0.2 host 172.16.0.18

Transform sets={ des, }

Interfaces using crypto map ua:

Serial0/0.200

sh crypto isakmp sa

172.16.0.2 172.16.0.26 QM_IDLE 2 0

sh crypto engine connections active

2 Fa0/0.300 172.16.0.2 set HMAC_MD5+DES_56_CB 0 0

Spoke

Crypto Map "kiev" 10 ipsec-isakmp

Peer = 172.16.0.50

Peer = 172.16.0.2

Extended IP access list 115

access-list 115 permit gre host 172.16.0.26 host 172.16.0.50

access-list 115 permit gre host 172.16.0.26 host 172.16.0.2

Current peer: 172.16.0.50

Security association lifetime: 4608000 kilobytes/3600 seconds

PFS (Y/N): N

Transform sets={

des,

}

Interfaces using crypto map kiev:

FastEthernet0

2 REPLIES
Cisco Employee

Re: CRYPTO-4-RECVD_PKT_NOT_IPSEC

Going by your output you have the following configured on th espoke:

crypto map kiev 10 ipsec-isakmp

   set peer 172.16.0.50

   set peer 172.16.0.2

   set trans

   match address 115

By defining only one instance of the crypto map and putting two "set peer" statements under it you're saying that you want the second peer to act only as a backup to the first peer in case it is down, which is what you're seeing.

If you actually want both to be up at once for redundancy and routing purposes then you need to define two instances of the crypto map and separate them out as such:

crypto map kiev 10 ipsec-isakmp

   set peer 172.16.0.50

   set trans

   match address 115

crypto map kiev 20 ipsec-isakmp

   set peer 172.16.0.2

   set trans

   match address 120

access-list 115 permit gre host 172.16.0.26 host 172.16.0.50

access-list 120 permit gre host 172.16.0.26 host 172.16.0.2

Note there are two instances of the same crypto map (instance 10 and 20) pointing to two different peers with two different access-lists. Both should come up now if your routing process includes the tunnel interfaces.

New Member

Re: CRYPTO-4-RECVD_PKT_NOT_IPSEC

Thanks for your answer. You are right & now i'm implementing EIGRP in my network & I need

both tunnels to be active in same time.

Do i need to change crypto map on Hub B?

I changed config on the Spoke router:

Crypto Map "kiev" 10 ipsec-isakmp

Peer = 172.16.0.50

Extended IP access list 115

access-list 115 permit gre host 172.16.0.10 host 172.16.0.50

Current peer: 172.16.0.50

Security association lifetime: 4608000 kilobytes/3600 seconds

PFS (Y/N): N

Transform sets={

des,

}

Crypto Map "kiev" 20 ipsec-isakmp

Peer = 172.16.0.2

Extended IP access list 116

access-list 116 permit gre host 172.16.0.10 host 172.16.0.2

Current peer: 172.16.0.2

Security association lifetime: 4608000 kilobytes/3600 seconds

PFS (Y/N): N

Transform sets={

des,

}

Interfaces using crypto map kiev:

FastEthernet0

Extended IP access list 115

10 permit gre host 172.16.0.10 host 172.16.0.50 (2659 matches)

Extended IP access list 116

10 permit gre host 172.16.0.10 host 172.16.0.2 (138 matches)

but I still cant ping tunnel ip of the Hub B.

Here is crypto map from Hub B.

crypto Map "ua" 10 ipsec-isakmp

Peer = 172.16.0.50

Peer = 172.16.0.10

Peer = 172.16.0.26

Peer = 172.16.0.54

Peer = 172.16.0.58

Extended IP access list 150

access-list 150 permit gre host 172.16.0.2 host 172.16.0.50

access-list 150 permit gre host 172.16.0.2 host 172.16.0.10

access-list 150 permit gre host 172.16.0.2 host 172.16.0.26

access-list 150 permit gre host 172.16.0.2 host 172.16.0.54

access-list 150 permit gre host 172.16.0.2 host 172.16.0.58

Current peer: 172.16.0.10

Security association lifetime: 4608000 kilobytes/3600 seconds

PFS (Y/N): N

Transform sets={ des, }

Interfaces using crypto map ua:

FastEthernet0/0.300

297
Views
0
Helpful
2
Replies
CreatePlease login to create content