RE: DMVPN ipsec

Hello,

Normally, this happens if there is a encryption enabled on one end and none on the other end.... or a ISAKMP / IPSEC neighbor mismatch of some sort...

Can you post the configs? It may be helpful. Please see the below info and let us know.

Andre

http://supportwiki.cisco.com/ViewWiki/index.php/User_receives_the_error_message_CRYPTO-4-RECVD_PKT_NOT_IPSEC_Rec'd_packet_not_an_IPSEC_packet.(ip)_dest_addr%3D_IP_address,_src_addr%3D_IP_address,_prot%3D_dec.

Case Number K22068255
Title User receives the error message %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.(ip) dest_addr= [IP_address], src_addr= [IP_address], prot= [dec].
Core issue A packet is received that matches the encryption (crypto) map access control list (ACL), but is not IPsec-encapsulated. The IPsec peer sends unencapsulated packets. This condition can be caused by a policy setup error on the peer, or it might be considered a hostile event.

This error message might come up because of several reasons that include:

Mismatched crypto access list on two ends

Routing misconfiguration

 
Resolution Complete these steps to resolve this issue:

1. Match the access lists with the peer. 2. Make sure that the same access list is not applied to two or more crypto map entries. 3. Refrain from using the any any statement in the access list. 4. Check routing. For more information,refer to IPSec Manual Keying Between Routers Configuration Example and Configuring GRE and IPSec with IPX Routing

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of olumayokun fowowe
Sent: Tuesday, May 12, 2009 9:18 AM
To: Dale Shaw
Cc: Cisco certification
Subject: Re: DMVPN ipsec

Hello Dale

I did tunnel mode gre multipoint as you suggested but I'm sitll having the same error as indcated below:

*May 12 12:52:28.729: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON *May 12 12:52:30.001: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.
    (ip) vrf/dest_addr= /y.y.50.58, src_addr= y.y.50.102, prot= 47

On Tue, May 12, 2009 at 12:21 AM, Dale Shaw <dale.shaw_at_gmail.com> wrote:

> Hi,
>
> On Tue, May 12, 2009 at 12:22 AM, olumayokun fowowe
> <olumayokun_at_gmail.com> wrote:
> >
> > R1 is the hub, and it is connecting to two spoke routers. The tunnel
> forms
> > and works well untill I applied ipsec to the routers. Then if I do
> > show ipsec sessions, I will have the interface in down negotiating
> >
> > Thanks for your help.
>
> Try 'tunnel mode gre multipoint' on the tunnel interfaces.
>
> cheers,
> Dale

Blogs and organic groups at http://www.ccie.net
Received on Tue May 12 2009 - 09:38:23 ART