cancelar
Mostrando los resultados de 
Buscar en lugar de 
Quiere decir: 
Avisos
¡Bienvenido a la nueva Comunidad de Soporte de Cisco! Nos encantaría conocer su opinión
New Member

Problema con enlace de VPN

Buenos días. Al tratar de conectar desde un cliente cisco vpn al router donde esta la configuración VPN da el siguiente error. %CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from x.x.x.x was not encrypted and it should've been. quisiera saber como arreglar este problema o a que puede deberse. Agradezco la ayuda que se pueda prestar.

 

 

RO_#sh run 
Building configuration...


Current configuration : 15823 bytes
!
! Last configuration change at 16:42:32 CARACAS Tue Oct 13 2015 by adminpcm37
version 15.3
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
service sequence-numbers
!
hostname RO_PCM_INTERNET
!
boot-start-marker
boot system flash c2900-universalk9-mz.SPA.153-2.T.bin
boot-end-marker
!
!
logging buffered 3000000
enable secret 5 $1$1kvb$rheitSXzZ7oDgi14WQRUL0
enable password 7 0014100B16080F551C731C1F5C
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login EZVPN_LOGIN local
aaa authentication enable default enable
aaa authorization network EZVPN_AUTHOR local 
!
!
!
!
!
aaa session-id common
clock timezone CARACAS -4 30
!
ip cef
!
!
!
!
!
!
ip flow-cache timeout active 1
no ip domain lookup
ip domain name pcm.com.ve
ip name-server 200.44.32.12
ip name-server 200.44.32.13
ip name-server 200.35.65.4
ip name-server 200.35.65.3
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
password encryption aes
!
!
voice-card 0
!
!
!
!
!
!
!
!
license udi pid CISCO2921/K9 sn FTX1550AHQK
hw-module pvdm 0/0
!
!
!
username adminpcm37 privilege 15 secret 5 $1$dj58$Gzen5hkpXyzqO/UMTRW4w1
username drivas secret 5 $1$T9gG$VuT4wpu.J6zQ9jJSkJLAW0
username lwarrick secret 5 $1$OgIC$DEHjfMBCA5pshPYdrtZmF.
username jdiaz secret 5 $1$6mj4$fd4E9aQHnSiAPiYqes6ar0
username fhernandez secret 5 $1$RlZS$0zZFaj5FI/jQfPzUFGlyD/
username jaguilera secret 5 $1$tO8S$.8LBi9MgKJE/dD8FZ.P7S0
username gdonnice secret 5 $1$qfsu$ZNbPNh6vZxymN0NfDd08B0
username pasquale secret 5 $1$7XsB$b84x0nqWmDsTvCz1iTKEG.
username ingeserv privilege 15 secret 5 $1$9bIE$3BvxFLr0xyzpjsKRPfZyX0
username pcm37 privilege 14 secret 5 $1$4A/r$h9LbohoZsb9GSkyDq.vEP/
username pcm2015 privilege 14 secret 4 3ts7JOV1zNngiMJsVwe2CfnX.qNHmu0wLIcd7XcuDRk
username ingeserv15 privilege 15 secret 4 MudmhkHzF/DmqDQv8RRqcam2IqPXDQq2jpMewzs3CsQ
username pcmadmin15 privilege 15 secret 4 92mCPQ.0K.1bXHW/Pqo6ZtsAGEUwEGabgCDAdIFyOOM
!
redundancy
!         
!
!
!
!
ip ssh version 2
!
track 10 ip sla 1 reachability
 delay down 1 up 1
!
track 20 ip sla 2 reachability
 delay down 1 up 1
!
track 30 ip sla 3 reachability
 delay down 1 up 1
!
class-map match-all prueba

!
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp client configuration group INFRAESTRUCTURA
 key 6 fSLRJ[\LCUOfZQQQFUWcQcVdaOIbgiJRYbLO\NeKOY
 domain pcm.com.ve
 pool INFRAESTRUCTURA_POOL
 acl SPLIT_VPN
 max-users 10
 max-logins 10
 netmask 255.255.255.0
!
crypto isakmp client configuration group TELECOMUNICACIONES
 key 6 GXFOG\A\TA]]KMhaL\fa][MIb_MLGRPZc\YbF`GDIRCOgAAB
 domain pcm.com.ve
 pool TELECOM_POOL
 acl SPLIT_VPN
 max-users 10
 max-logins 10
 netmask 255.255.255.0
!
!
crypto ipsec transform-set 3DES_SHA esp-3des esp-sha-hmac 
 mode tunnel
!
!
!
crypto dynamic-map DYNAMIC_MAP 10
 set transform-set 3DES_SHA 
 reverse-route
!
!
crypto map STATIC_MAP client authentication list EZVPN_LOGIN
crypto map STATIC_MAP isakmp authorization list EZVPN_AUTHOR
crypto map STATIC_MAP client configuration address respond
crypto map STATIC_MAP 10 ipsec-isakmp dynamic DYNAMIC_MAP 
!
!
!
!
!
interface Loopback0
 ip address 3.3.3.3 255.255.255.255
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 description ETH_LAN
 ip address 200.109.106.153 255.255.255.248
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly in
 ip policy route-map NEXT-HOP
 load-interval 60
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 description CONEXION BYPASS VPNs DE CONTINGENCIA VIA MOVISTAR
 ip address 172.24.0.1 255.255.255.252
 ip policy route-map NEXT_HOP_VPN
 duplex auto
 speed 100
!
interface GigabitEthernet0/2
 no ip address
 ip flow ingress
 ip flow egress
 shutdown
 duplex full
 speed 100
!
interface Serial0/0/0
 description CONEXION CANTV - INTERNET CIRCUITO # 127153
 no ip address
 ip flow ingress
 ip flow egress
 encapsulation frame-relay
 load-interval 60
 frame-relay lmi-type ansi
!
interface Serial0/0/0.6 point-to-point
 description CONEXION CANTV - INTERNET CIRCUITO # 127153
 ip address 200.44.124.122 255.255.255.252
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 frame-relay interface-dlci 60   
!
interface Serial0/0/1
 description CONEXION MOVISTAR_INTERNET
 no ip address
 ip flow ingress
 ip flow egress
 encapsulation frame-relay IETF
 load-interval 60
 clock rate 2000000
 frame-relay lmi-type cisco
!
interface Serial0/0/1.16 point-to-point
 description CONEXION MOVISTAR INTERNET CIRCUITO # 3001
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip virtual-reassembly in
 frame-relay interface-dlci 16   
 crypto map STATIC_MAP
!
interface FastEthernet0/1/0
 description MPLS-CANTV
 no ip address
 ip flow ingress
 ip flow egress
 load-interval 30
 duplex full
 speed 100
!
interface FastEthernet0/1/0.849
 description CONEXION METROETHERNET CANTV
 bandwidth 4000
 encapsulation dot1Q 849
 ip address 201.249.167.206 255.255.255.252
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat outside
 ip virtual-reassembly in
!
interface FastEthernet0/2/0
 description CONEXION WAN-TELEFONICA
 no ip address
 ip flow ingress
 ip flow egress
 load-interval 30
 duplex full
 speed 100
!
interface FastEthernet0/2/0.907
 description ##POLICLINICA METROPOLITANA CCS_4Mbps (METRO-3001) ##
 bandwidth 4096
 encapsulation dot1Q 907
 ip address 10.18.249.182 255.255.255.252 secondary
 ip address 200.35.75.84 255.255.255.254
 ip nat outside
 ip virtual-reassembly in
!
ip local pool INFRAESTRUCTURA_POOL 172.16.174.1 172.16.174.10
ip local pool TELECOM_POOL 172.16.175.1 172.16.175.10
ip forward-protocol nd
!
ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
ip flow-export source GigabitEthernet0/0
ip flow-export version 5
ip flow-export destination 200.109.106.155 9996
ip flow-top-talkers
 top 100
 sort-by bytes
!
ip nat pool NAT 200.35.75.81 200.35.75.82 netmask 255.255.255.248
ip nat pool NAT2 201.249.203.105 201.249.203.106 netmask 255.255.255.248
ip nat pool NAT1 200.35.75.81 200.35.75.82 netmask 255.255.255.248
ip nat inside source route-map CANTV pool NAT2 overload
ip nat inside source route-map MOVISTAR pool NAT1 overload
ip route 0.0.0.0 0.0.0.0 201.249.167.205 track 10
ip route 0.0.0.0 0.0.0.0 200.44.124.121 track 20
ip route 0.0.0.0 0.0.0.0 10.18.249.181 track 30
ip route 0.0.0.0 0.0.0.0 200.44.124.121
ip route 0.0.0.0 0.0.0.0 201.249.167.205 10
ip route 0.0.0.0 0.0.0.0 10.18.249.181 10
ip route 10.0.0.0 255.0.0.0 172.24.0.2
ip route 10.97.0.70 255.255.255.255 200.109.106.157
ip route 10.130.0.0 255.255.0.0 200.109.106.155
ip route 10.131.0.0 255.255.0.0 200.109.106.155
ip route 10.132.0.0 255.255.0.0 200.109.106.155
ip route 10.133.0.0 255.255.0.0 200.109.106.155
ip route 10.134.0.0 255.255.0.0 200.109.106.155
ip route 192.168.12.0 255.255.255.252 172.24.0.2
ip route 192.168.12.2 255.255.255.255 GigabitEthernet0/0 10
!
ip access-list extended CONSULTORIOS
 permit tcp 10.130.0.0 0.0.255.255 any eq www
 permit tcp 10.131.0.0 0.0.255.255 any eq www
 permit tcp 10.132.0.0 0.0.255.255 any eq www
 permit tcp 10.133.0.0 0.0.255.255 any eq www
 permit tcp 10.134.0.0 0.0.255.255 any eq www
 permit tcp 10.135.0.0 0.0.255.255 any eq www
 permit tcp 10.130.0.0 0.0.255.255 any eq 443
 permit tcp 10.131.0.0 0.0.255.255 any eq 443
 permit tcp 10.132.0.0 0.0.255.255 any eq 443
 permit tcp 10.133.0.0 0.0.255.255 any eq 443
 permit tcp 10.134.0.0 0.0.255.255 any eq 443
 permit tcp 10.135.0.0 0.0.255.255 any eq 443
 permit udp 10.130.0.0 0.0.255.255 any eq domain
 permit udp 10.131.0.0 0.0.255.255 any eq domain
 permit udp 10.132.0.0 0.0.255.255 any eq domain
 permit udp 10.133.0.0 0.0.255.255 any eq domain
 permit udp 10.134.0.0 0.0.255.255 any eq domain
 permit tcp 10.130.0.0 0.0.255.255 any eq domain
 permit tcp 10.131.0.0 0.0.255.255 any eq domain
 permit tcp 10.132.0.0 0.0.255.255 any eq domain
 permit tcp 10.133.0.0 0.0.255.255 any eq domain
 permit tcp 10.134.0.0 0.0.255.255 any eq domain
 permit tcp 10.130.0.0 0.0.255.255 any eq smtp
 permit tcp 10.131.0.0 0.0.255.255 any eq smtp
 permit tcp 10.132.0.0 0.0.255.255 any eq smtp
 permit tcp 10.133.0.0 0.0.255.255 any eq smtp
 permit tcp 10.134.0.0 0.0.255.255 any eq smtp
 permit tcp 10.135.0.0 0.0.255.255 any eq smtp
 permit tcp 10.130.0.0 0.0.255.255 any eq pop3
 permit tcp 10.131.0.0 0.0.255.255 any eq pop3
 permit tcp 10.132.0.0 0.0.255.255 any eq pop3
 permit tcp 10.133.0.0 0.0.255.255 any eq pop3
 permit tcp 10.134.0.0 0.0.255.255 any eq pop3
 permit tcp 10.135.0.0 0.0.255.255 any eq pop3
 permit tcp 10.130.0.0 0.0.255.255 any eq 465
 permit tcp 10.131.0.0 0.0.255.255 any eq 465
 permit tcp 10.132.0.0 0.0.255.255 any eq 465
 permit tcp 10.133.0.0 0.0.255.255 any eq 465
 permit tcp 10.134.0.0 0.0.255.255 any eq 465
 permit tcp 10.135.0.0 0.0.255.255 any eq 465
 permit tcp 10.130.0.0 0.0.255.255 any eq 587
 permit tcp 10.131.0.0 0.0.255.255 any eq 587
 permit tcp 10.132.0.0 0.0.255.255 any eq 587
 permit tcp 10.133.0.0 0.0.255.255 any eq 587
 permit tcp 10.134.0.0 0.0.255.255 any eq 587
 permit tcp 10.135.0.0 0.0.255.255 any eq 587
 permit tcp 10.130.0.0 0.0.255.255 any eq 995
 permit tcp 10.131.0.0 0.0.255.255 any eq 995
 permit tcp 10.132.0.0 0.0.255.255 any eq 995
 permit tcp 10.133.0.0 0.0.255.255 any eq 995
 permit tcp 10.134.0.0 0.0.255.255 any eq 995
 permit tcp 10.135.0.0 0.0.255.255 any eq 995
 permit udp 10.130.0.0 0.0.255.255 any eq 5060
 permit udp 10.131.0.0 0.0.255.255 any eq 5060
 permit udp 10.132.0.0 0.0.255.255 any eq 5060
 permit udp 10.133.0.0 0.0.255.255 any eq 5060
 permit udp 10.134.0.0 0.0.255.255 any eq 5060
 permit udp 10.135.0.0 0.0.255.255 any eq 5060
 permit udp 10.130.0.0 0.0.255.255 any eq 5070
 permit udp 10.131.0.0 0.0.255.255 any eq 5070
 permit udp 10.132.0.0 0.0.255.255 any eq 5070
 permit udp 10.133.0.0 0.0.255.255 any eq 5070
 permit udp 10.134.0.0 0.0.255.255 any eq 5070
 permit udp 10.135.0.0 0.0.255.255 any eq 5070
ip access-list extended PERMIT_ALL_PBR
 deny   tcp any any eq www
 deny   tcp any any eq 443
 permit ip any any
ip access-list extended PERMIT_TELNET
 permit tcp any any eq telnet
ip access-list extended ROUTE-MAP2
 permit tcp any any eq www
 permit tcp any any eq 443
ip access-list extended SPLIT_VPN
 permit ip 10.0.0.0 0.255.255.255 172.16.174.0 0.0.1.255
 permit ip 192.168.12.0 0.0.0.255 172.16.174.0 0.0.1.255
!
ip sla auto discovery
ip sla 1
 icmp-echo 201.249.167.205
 frequency 5
ip sla schedule 1 life forever start-time now
ip sla 2
 icmp-echo 200.44.124.121
 frequency 5
ip sla schedule 2 life forever start-time now
ip sla 3
 icmp-echo 10.18.249.181
 frequency 5
ip sla schedule 3 life forever start-time now
ip sla logging traps
!
route-map MOVISTAR permit 10
 match ip address 17
 match interface FastEthernet0/2/0.907
!
route-map NEXT_HOP_VPN permit 10
 set ip next-hop verify-availability 10.18.249.181 30 track 30
!
route-map CANTV permit 10
 match ip address 17
 match interface FastEthernet0/1/0.849
!
route-map NEXT-HOP permit 10
 match ip address CONSULTORIOS
 set ip next-hop verify-availability 10.18.249.181 30 track 30
!
route-map NEXT-HOP permit 20
 match ip address ROUTE-MAP2
 set ip next-hop verify-availability 201.249.167.205 10 track 10
!
route-map NEXT-HOP permit 30
 match ip address PERMIT_ALL_PBR
 set ip next-hop verify-availability 200.44.124.121 20 track 20
!
!
snmp-server engineID local 00000009020000D0BAFE4628
snmp-server community pcmcommuro RW
snmp-server community pcmcommurw RW
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps vrrp
snmp-server enable traps tty
snmp-server enable traps ospf state-change
snmp-server enable traps ospf errors
snmp-server enable traps ospf retransmit
snmp-server enable traps ospf lsa
snmp-server enable traps ospf cisco-specific state-change nssa-trans-change
snmp-server enable traps ospf cisco-specific state-change shamlink interface
snmp-server enable traps ospf cisco-specific state-change shamlink neighbor
snmp-server enable traps ospf cisco-specific errors
snmp-server enable traps ospf cisco-specific retransmit
snmp-server enable traps ospf cisco-specific lsa
snmp-server enable traps envmon
snmp-server enable traps flash insertion removal
snmp-server enable traps entity-sensor threshold
snmp-server enable traps icsudsu
snmp-server enable traps isdn call-information
snmp-server enable traps isdn layer2
snmp-server enable traps isdn chan-not-avail
snmp-server enable traps isdn ietf
snmp-server enable traps ds0-busyout
snmp-server enable traps ds1-loopback
snmp-server enable traps aaa_server
snmp-server enable traps atm subif
snmp-server enable traps cnpd
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server enable traps entity
snmp-server enable traps frame-relay multilink bundle-mismatch
snmp-server enable traps frame-relay
snmp-server enable traps frame-relay subif
snmp-server enable traps hsrp
snmp-server enable traps ipmulticast
snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message
snmp-server enable traps pppoe
snmp-server enable traps cpu threshold
snmp-server enable traps rsvp
snmp-server enable traps syslog
snmp-server enable traps l2tun session
snmp-server enable traps vtp
snmp-server enable traps ipsla
snmp-server enable traps ike policy add
snmp-server enable traps ike policy delete
snmp-server enable traps ike tunnel start
snmp-server enable traps ike tunnel stop
snmp-server enable traps ipsec cryptomap add
snmp-server enable traps ipsec cryptomap delete
snmp-server enable traps ipsec cryptomap attach
snmp-server enable traps ipsec cryptomap detach
snmp-server enable traps ipsec tunnel start
snmp-server enable traps ipsec tunnel stop
snmp-server enable traps ipsec too-many-sas
snmp-server host 10.97.0.70 pcmcommuro 
snmp-server host 10.100.101.26 pcmcommurw 
snmp-server host 10.97.0.70 pcmcommurw 
access-list 17 permit 200.109.106.152 0.0.0.7
access-list 17 permit 10.130.0.0 0.0.255.255
access-list 17 permit 10.131.0.0 0.0.255.255
access-list 17 permit 10.132.0.0 0.0.255.255
access-list 17 permit 10.133.0.0 0.0.255.255
access-list 17 permit 10.134.0.0 0.0.255.255
access-list 17 permit 10.135.0.0 0.0.255.255
access-list 100 permit ip 172.16.10.0 0.0.0.255 any
access-list 101 permit ip 10.130.0.0 0.0.255.255 any
access-list 101 permit ip 10.131.0.0 0.0.255.255 any
access-list 101 permit ip 10.132.0.0 0.0.255.255 any
access-list 101 permit ip 10.133.0.0 0.0.255.255 any
access-list 101 permit ip 10.134.0.0 0.0.255.255 any
access-list 199 permit ip host 10.131.0.135 any
access-list 199 permit ip 10.130.0.0 0.0.255.255 any
access-list 199 permit ip 10.131.0.0 0.0.255.255 any
access-list 199 permit ip 10.132.0.0 0.0.255.255 any
!
!
!
control-plane
!
 !        
 !
 !
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
gatekeeper
 shutdown
!
!
alias exec traffic show ip nbar protocol-discovery stats bit-rate top-n 20
banner login ^CCCC
**************  ESTA ES UNA RED PRIVADA OPERADA POR EL  **********
**************   Dpto. DE INFORMACION Y TECNOLOGIA DE   **********
**************   POLICLINICA METROPOLITANA. EL INGRESO  **********
************** DE PERSONAL NO AUTORIZADO ESTA PROHIBIDO **********
**************    Y PODRA SER SANCIONADO SEVERAMENTE    **********^C
!
line con 0
 logging synchronous
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport input all
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 privilege level 15
 transport input ssh
!
scheduler allocate 20000 1000
!
end
          

2 RESPUESTAS
New Member

por lo comun este mensaje te

por lo comun este mensaje te lo manda cuando no coinciden los rangos de encrypcion (ACLs), recuerda que para una VPN los parametros tienen que ser los mismos en ambas puntas, te recomiendo darle una revisada.

Silver

Hola Franklin, 

Hola Franklin, 

No creo que sea un problema de ACLs ; la configuracion es para un cliente de  EZVPN.

Con los siguientes debugs se podira obtener mas informacion del problema , parece que es un problema de encriptacion. 

* debug crypto ipsec client ezvpn

*debug crypto isakmp

*debug crypto ipsec

Saludos ,

-Randy- 

98
Visitas
0
ÚTIL
2
Respuestas