Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Why is this VPN setup not working?

This is setup on two Cisco 3900 series routers. When I try to ping from a laptop I get the error:

%CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC pa
cket. (ip) vrf/dest_addr= /10.1.11.2, src_addr= 172.2.1.2, prot= 1

On routerA. Any help would be appreciated.

 

------------------
Router A
------------------

crypto isakmp policy 10
 encr aes 256
 hash sha256
 authentication pre-share
 group 14
!
crypto isakmp key testkey address 172.2.1.2
!
crypto ipsec transform-set Test-Set ah-sha256-hmac esp-aes 256 esp-sha256-hmac
!
crypto map TestPeers 40 ipsec-isakmp
 description VPN to RouterB
 set peer 172.2.1.2
 set transform-set Test-Set
 match address 104
!
interface Loopback1
 ip address 192.168.11.11 255.255.255.0
!
interface GigabitEthernet0/1
 ip address 10.1.11.2 255.255.255.0
 no shutdown
!
interface GigabitEthernet0/0
 description RouterA to WAN
 ip address 172.2.1.1 255.255.255.0
 crypto map TestPeers
 crypto ipsec df-bit clear
!
ip route 0.0.0.0 0.0.0.0 172.2.1.2
!
access-list 104 remark src-dest pairs for RouterA to RouterB
access-list 104 permit ip 10.1.11.0 0.0.0.255 172.2.1.0 0.0.0.255


############################################################################


---------------
Router B
---------------


crypto isakmp policy 10
 encr aes 256
 hash sha256
 authentication pre-share
 group 14
!
crypto isakmp key testkey address 172.2.1.1
!
crypto ipsec transform-set Test-Set ah-sha256-hmac esp-aes 256 esp-sha256-hmac
!
crypto map TestPeers 10 ipsec-isakmp
 description VPN to RouterA
 set peer 172.2.1.1
 set transform-set Test-Set
 match address 101
!
interface GigabitEthernet0/1
 ip address 10.2.11.1 255.255.255.0
 no shutdown
!
interface GigabitEthernet0/0
 description RouterB to WAN
 ip address 172.2.1.2 255.255.255.0
 crypto map TestPeers
 crypto ipsec df-bit clear
!
ip route 0.0.0.0 0.0.0.0 172.2.1.1
!
access-list 101 remark src-dest pairs for RouterB to RouterA
access-list 101 permit ip 10.2.11.0 0.0.0.255 172.2.1.0 0.0.0.255
access-list 101 permit ip 10.2.11.0 0.0.0.255 192.168.11.0 0.0.0.255

 

 

 

 

 

 

 

 

 


 

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions

Hi, Sorry for inconvenience

Hi,

 Sorry for inconvenience given , i have given wrong network subnet on the acl  ,it must be 10.2.11.0/24 

Router A

access-list 104 remark src-dest pairs for RouterA to RouterB
no access-list 104 permit ip 10.1.11.0 0.0.0.255 10.2.1.0 0.0.0.255

access-list 104 permit ip 10.1.11.0 0.0.0.255 10.2.11.0 0.0.0.255

HTH

Sandy

4 REPLIES

Hi , modify your crypto

Hi ,

 modify your crypto access-list ,

Router A

access-list 104 remark src-dest pairs for RouterA to RouterB
access-list 104 permit ip 10.1.11.0 0.0.0.255 10.2.1.0 0.0.0.255

Router B

 

access-list 101 remark src-dest pairs for RouterB to RouterA
access-list 101 permit ip 10.2.11.0 0.0.0.255 10.1.11.0 0.0.0.255

 

HTH

sandy

 

New Member

Sandy thank you for the reply

Sandy thank you for the reply. Changing that did allow the tunnel to build but now I am getting

%CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /10.2.11.2, src_addr= 10.1.11.1, prot= 1

on routerB, when I try to generate traffic to one of the laptops. So there is still and issue somewhere.

Hi, Sorry for inconvenience

Hi,

 Sorry for inconvenience given , i have given wrong network subnet on the acl  ,it must be 10.2.11.0/24 

Router A

access-list 104 remark src-dest pairs for RouterA to RouterB
no access-list 104 permit ip 10.1.11.0 0.0.0.255 10.2.1.0 0.0.0.255

access-list 104 permit ip 10.1.11.0 0.0.0.255 10.2.11.0 0.0.0.255

HTH

Sandy

New Member

Sandy,  Thank you very much.

Sandy,

 

 Thank you very much. I should have caught that.

 

Joe

72
Views
5
Helpful
4
Replies
CreatePlease to create content