cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Who Me Too'd this topic

ISAKMP Phase II issue, with IPSec Profile on mGRE Tunnel interface.

michael.leblanc
Level 4
Level 4

Background: We are migrating a stable P2P GRE + IPSec implementation (with rsa-encr authentication), to a DMVPN (mGRE) implementation. We intend to migrate to rsa-sig after successfully establishing the DMVPN with pre-share authentication. All P2P GRE + IPSec crypto maps have been removed from the physical interfaces, and the P2P GRE tunnel interfaces have been administratively shutdown. With DMVPN configured, we have the spoke initiating ISAKMP with the hub, and ISAKMP phase I negotiation succeeds (QM_IDLE).

Issue: We are encountering ISAKMP phase II issues.

A debug (ISAKMP + IPSec) on the hub indicates that the proposed IPSec attributes are acceptable. When the proposal request is validated, we are presented with the following errors:

Jun 30 21:22:56.616 EDT: ISAKMP:(2001):atts are acceptable.
Jun 30 21:22:56.616 EDT: IPSEC(validate_proposal_request): proposal part #1
Jun 30 21:22:56.616 EDT: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= <hub-ip-physical>, remote= <spoke-ip-physical>,
    local_proxy= <hub-ip-physical>/255.255.255.255/47/0 (type=1),
    remote_proxy= <spoke-ip-physical>/255.255.255.255/47/0 (type=1),
    protocol= ESP, transform= NONE  (Transport),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
Jun 30 21:22:56.616 EDT: map_db_check_isakmp_profile profile did not match
Jun 30 21:22:56.616 EDT: map_db_check_isakmp_profile profile did not match
Jun 30 21:22:56.616 EDT: map_db_find_best did not find matching map
Jun 30 21:22:56.616 EDT: IPSEC(ipsec_process_proposal): proxy identities not supported
Jun 30 21:22:56.616 EDT: ISAKMP:(2001): IPSec policy invalidated proposal with error 32
Jun 30 21:22:56.616 EDT: ISAKMP:(2001):Checking IPSec proposal 2
... snip ...
Jun 30 21:22:56.616 EDT: ISAKMP:(2001): phase 2 SA policy not acceptable! (local <hub-ip-physical> remote <spoke-ip-physical>)

We are not sure why a matching ISAKMP profile and map are not found.


hub# sh cry isa profile
ISAKMP PROFILE DMVPN
Ref Count = 3
   Identities matched are:
    ip-address aaa.bbb.ccc.0 255.255.240.0
   Certificate maps matched are:
   keyring(s): dmvpn
   trustpoint(s): <all>

hub# sh cry ips profile
IPSEC profile DMVPN
        Security association lifetime: 4608000 kilobytes/3600 seconds
        Responder-Only (Y/N): N
        PFS (Y/N): Y
        DH group:  group1
        Transform sets={eni-xfm-des:  { esp-des esp-sha-hmac  } , eni-xfm-3des:  { esp-3des esp-sha-hmac  } ,}

hub# sh cry map
Crypto Map "Tunnel0-head-0" 65536 ipsec-isakmp
        ISAKMP Profile: DMVPN
        Profile name: DMVPN
        Security association lifetime: 4608000 kilobytes/3600 seconds
        Responder-Only (Y/N): N
        PFS (Y/N): Y
        DH group:  group1
        Transform sets={eni-xfm-des:  { esp-des esp-sha-hmac  } , eni-xfm-3des:  { esp-3des esp-sha-hmac  } ,}
        Interfaces using crypto map Tunnel0-head-0: Tunnel0

Note: Two other crypto maps exist on the hub, and are listed in the show output. However, they are not applied to any interfaces.

On the spoke, we see a Profile Instance such as this:

Crypto Map "Tunnel0-head-0" 65537 ipsec-isakmp
        Map is a PROFILE INSTANCE.
        Peer = <hub-ip-physical>
        ISAKMP Profile: DMVPN
        Extended IP access list
            access-list  permit gre host <spoke-ip-physical> host <hub-ip-physical>
        Current peer: <hub-ip-physical>
        Security association lifetime: 4608000 kilobytes/3600 seconds
        PFS (Y/N): Y
        DH group:  group1
        Transform sets={eni-xfm-des, eni-xfm-3des,}
        Interfaces using crypto map Tunnel0-head-0: Tunnel0

... but not on the hub.


Configuration (Hub & Spoke): Relevant crypto portions of the DMVPN configurations follow:

crypto keyring dmvpn
pre-shared-key address 0.0.0.0 0.0.0.0 key <removed>

crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 3600

Note: Other ISAKMP policies snipped.

crypto isakmp identity hostname

crypto isakmp profile DMVPN
keyring dmvpn
match identity address aaa.bbb.ccc.0 255.255.240.0

Note: aaa.bbb.ccc.0 255.255.240.0 represents the address space used on the Internet exposed interfaces.
Note: Also tried "match identity address 0.0.0.0 0.0.0.0" on the hub and spoke.


crypto ipsec transform-set eni-xfm-3des esp-3des esp-sha-hmac
mode transport
crypto ipsec transform-set eni-xfm-des esp-des esp-sha-hmac
mode transport

crypto ipsec profile DMVPN
set transform-set eni-xfm-des eni-xfm-3des
set pfs group1
set isakmp-profile DMVPN

interface Tunnel0
ip address <removed> 255.255.255.0
tunnel protection ipsec profile DMVPN

Note: NHRP,  mGRE, and most other parameters have been snipped.

Any assistance would be appreciated.

Best Regards,
Mike

Who Me Too'd this topic