Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

User receives the IKE packet from [IP_address] was not encrypted and it should've been error message

Core issue

The %CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from [IP_address] was not encrypted    and it should've been error message results from a portion of the Internet Key Exchange (IKE) being encrypted, and a portion being unencrypted. This message should have been encrypted, but was not.

Resolution

The recommended action is to contact the remote peer.

Make sure that the Access Control Lists (ACLs) configured for the crypto map are mirror    images of each other at opposite VPN endpoints. For example, if you have the access-list command on VPN router A, then VPN router B would need to be configured identically, as shown:

access-list 101 permit ip 10.10.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit ip 10.10.0.0 0.0.0.255 192.168.2.0 0.0.0.255

This output shows how the VPN router B needs to be configured:

access-list 101 permit ip 192.168.1.0 0.0.0.255 10.10.0.0 0.0.0.255
access-list 101 permit ip 192.168.2.0 0.0.0.255 10.10.0.0 0.0.0.255

Note: Do not use the any keyword in crypto access-list commands.

If you still receive the same error message after you have configured the ACLs correctly, capture the VPN debugs on the remote end, and look for error messages there.

For an explanation of common debug error messages used in resolving IPSec issues, refer to IP Security Troubleshooting - Understanding and Using debug Commands.

Version history
Revision #:
1 of 1
Last update:
‎06-22-2009 05:05 PM
Updated by:
 
Labels (1)