I'm trying to get vpn on my home router working, but I keep getting the following error in my syslog: Mar 4 16:06:49 nosey 77118: nosey: 4w2d: %CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE pack et from 217.155.216.166 was not encrypted and it should've been. Any idea on what I'm doing wrong? my current config is: Code: Current configuration : 5065 bytes ! ! Last configuration change at 16:09:39 GMT Sat Mar 4 2006 by growse ! NVRAM config last updated at 15:56:29 GMT Sat Mar 4 2006 by growse ! version 12.3 no service pad service timestamps debug uptime service timestamps log uptime service password-encryption ! hostname nosey ! boot-start-marker boot-end-marker ! memory-size iomem 5 logging count logging userinfo no logging buffered no logging console enable secret 5 ******* ! username growse password 7 ******* clock timezone GMT 0 clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 1:00 aaa new-model ! ! aaa authentication login userauthenticate local aaa authorization network groupauthorise local aaa session-id common ip subnet-zero no ip source-route no ip icmp rate-limit unreachable ip dhcp excluded-address 192.168.0.1 ip dhcp excluded-address 192.168.0.1 192.168.0.19 ! ip dhcp pool CLIENT import all network 192.168.0.0 255.255.255.0 default-router 192.168.0.1 domain-name mrmen.home dns-server 192.168.0.1 ! ! ip domain timeout 1 ip domain name mrmen.home ip name-server 192.168.0.2 no ip bootp server ip inspect max-incomplete low 70 ip inspect max-incomplete high 100 ip inspect one-minute low 300 ip inspect one-minute high 400 ip inspect udp idle-time 20 ip inspect dns-timeout 1 ip inspect tcp idle-time 900 ip inspect tcp finwait-time 3 ip inspect tcp synwait-time 15 ip inspect name inspectout icmp ip inspect name myinspect http timeout 10 ip inspect name myinspect icmp ip inspect name myinspect tcp ip inspect name myinspect udp ip inspect name myinspect smtp ip ips po max-events 100 ip ssh authentication-retries 2 ip ssh source-interface Ethernet0 ip ssh rsa keypair-name mine ip ssh version 2 no ftp-server write-enable ! ! ! ! ! crypto isakmp policy 10 encr 3des authentication pre-share group 2 ! crypto isakmp client configuration group growse key ************ dns 192.168.0.1 domain ******* pool ippool ! ! crypto ipsec transform-set ts-mrmen esp-3des esp-sha-hmac ! crypto dynamic-map dynmap 10 set transform-set ts-mrmen ! ! crypto map clientmap client authentication list userauthenticate crypto map clientmap isakmp authorization list groupauthorise crypto map clientmap client configuration address respond crypto map clientmap 10 ipsec-isakmp dynamic dynmap ! ! ! interface Ethernet0 ip address 192.168.0.1 255.255.255.0 ip nat inside ip virtual-reassembly no ip mroute-cache no cdp enable hold-queue 100 out ! interface Ethernet2 ip address 10.1.0.1 255.255.255.0 shutdown hold-queue 100 out ! interface ATM0 no ip address no ip mroute-cache atm vc-per-vp 64 no atm ilmi-keepalive dsl operating-mode auto pvc 0/38 encapsulation aal5mux ppp dialer dialer pool-member 1 ! ! interface FastEthernet1 no ip address duplex auto speed auto ! interface FastEthernet2 no ip address duplex auto speed auto ! interface FastEthernet3 no ip address duplex auto speed auto ! interface FastEthernet4 no ip address duplex auto speed auto ! interface Dialer1 ip address negotiated ip access-group INTERNET-IN in ip nat outside ip inspect myinspect out ip virtual-reassembly encapsulation ppp dialer pool 1 dialer-group 1 no cdp enable ppp authentication chap pap callin ppp chap hostname ************ ppp chap password 7 ******** ppp pap sent-username ************* ppp ipcp dns request ppp ipcp wins request crypto map clientmap hold-queue 224 in ! ip local pool ippool 192.168.0.100 192.168.0.110 ip classless ip route 0.0.0.0 0.0.0.0 Dialer1 ip route [ext_ip] 255.255.255.255 Ethernet0 192.168.0.2 no ip http server no ip http secure-server ip dns server ! ip nat inside source list 102 interface Dialer1 overload ip nat inside source static tcp 192.168.0.2 25 interface Dialer1 25 ip nat inside source static tcp 192.168.0.2 80 interface Dialer1 80 ip nat inside source static tcp 192.168.0.2 443 interface Dialer1 443 ! ! ip access-list extended INTERNET-IN permit tcp any any eq www permit tcp any any eq 443 permit udp any any eq domain permit esp any host [ext_ip] permit udp any eq isakmp host [ext_ip] eq isakmp permit ip 192.168.0.0 0.0.0.255 192.168.0.0 0.0.0.255 permit tcp any any eq smtp deny ip any any log logging origin-id hostname logging 192.168.0.2 access-list 102 permit ip 192.168.0.0 0.0.0.255 any dialer-list 1 protocol ip permit snmp-server community mrmen RO snmp-server location Under The Chest of Drawers snmp-server contact Andrew snmp-server enable traps tty no cdp run ! control-plane ! banner login ^CC [--- Hello! ---] Go Away. You Are Being Watched. ^C ! line con 0 exec-timeout 120 0 no modem enable transport preferred all transport output all stopbits 1 line aux 0 transport preferred all transport output all line vty 0 4 access-class 23 in exec-timeout 120 0 length 0 transport preferred ssh transport input ssh transport output all ! scheduler max-task-time 5000 sntp server 192.36.143.150 sntp broadcast client end
Yeah, you're NATing your outgoing VPN traffic. You need a line in your NAT access list excluding VPN destination IP addresses. Since your VPN client pool is in the same subnet as your internal network, change: access-list 102 permit ip 192.168.0.0 0.0.0.255 any to: access-list 102 deny ip 192.168.0.0 0.0.0.0.255 192.168.0.0 0.0.0.255 access-list 102 permit ip 192.168.0.0 0.0.0.255 any While I'm here, can I suggest a few of things - Exclude your VPN client pool range from your DHCP pool (just in case) - The "in" thing is to use route maps in NAT maps instead of referencing an ACL, so: route-map NONAT match ip address 102 no ip nat inside source list 102 interface Dialer1 overload ip nat inside source route-map NONAT interface Dialer1 overload - Don't assume isakmp will have a source of UDP 500 coming in, some firewalls will change this as well as the source address. If you're using the Cisco VPN client using NAT-T, encrypted traffic uses UDP 4500, so you need an entry for that. Entries in ACL INTERNET-IN for these should be: permit udp any host [ext_ip] eq non500-isakmp permit udp any host [ext_ip] eq isakmp HTH
made those changes - still getting: Code: Mar 8 15:01:20 nosey 1489: nosey: 3d03h: %CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from 212.183.128.185 was not encrypted and it should've been.
I should have noticed before, this and the first message is about traffic from the remote end. Are you using the Cisco VPN client? Are the local networks that you are connecting from also 192.169.0.X?
I've tried to test a similar setup to yours thinking that the problem is happening with a client routing issue caused by overlapping addresses - your network is 192.168.0.0/24 and why I asked if you're connecting from 192.168.0.X. I can't get the same error you get, not with client version 4.6 anyway, but I discovered something else - your VPN address pool must be in a different network from your internal networks, otherwise traffic won't be routed back through the tunnel. Also, to avoid address conflicts if you ever decide to allow local LAN connection or split tunnelling (most home networks are using defaults of 192.168.0.0/24 or 192.168.1.0/24), have your internal and VPN pool addresses something that is unlikely to be used elsewhere e.g. internal network 192.168.200.0/24 and VPN pool a range from 192.168.201.0/24 Can you post if you still get errors after making these changes - will need to do some debugging.
