Please try the following:
1. "mode transport" under your transform set at all sites.
2. gre multipoint as Dale suggested
3. Remove the tunnel destination from your configuration. That should be
derived from your ip nhrp map statement.
4. "no crypto ipsec nat-transparency udp-encaps" may be needed depending on
NAT and firewalls in between hub and spokes.
5. match the ip nhrp holdtime 60 at the hub that you configured on the
spokes.
6. ip nhrp redirect at the hub
7. You may need to bounce a tunnel interface after applying the crypto with
the tunnel protection command.
Mark
#17755, Security
On Tue, May 12, 2009 at 9:18 AM, olumayokun fowowe <olumayokun_at_gmail.com>wrote:
> Hello Dale
>
> I did tunnel mode gre multipoint as you suggested but I'm sitll having the
> same error as indcated below:
>
> *May 12 12:52:28.729: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
> *May 12 12:52:30.001: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an
> IPSEC packet.
> (ip) vrf/dest_addr= /y.y.50.58, src_addr= y.y.50.102, prot= 47
>
>
> On Tue, May 12, 2009 at 12:21 AM, Dale Shaw <dale.shaw_at_gmail.com> wrote:
>
> > Hi,
> >
> > On Tue, May 12, 2009 at 12:22 AM, olumayokun fowowe
> > <olumayokun_at_gmail.com> wrote:
> > >
> > > R1 is the hub, and it is connecting to two spoke routers. The tunnel
> > forms
> > > and works well untill I applied ipsec to the routers. Then if I do show
> > > ipsec sessions, I will have the interface in down negotiating
> > >
> > > Thanks for your help.
> >
> > Try 'tunnel mode gre multipoint' on the tunnel interfaces.
> >
> > cheers,
> > Dale
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Tue May 12 2009 - 09:45:35 ART
This archive was generated by hypermail 2.2.0 : Mon Jun 01 2009 - 07:04:42 ART