Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation

Who Me Too'd this topic

DMVPN over IPSec problem

Fernandes
Level 1
Level 1

‎01-06-2023 06:30 AM - edited ‎01-06-2023 06:31 AM

Hi, I have 2 DMVPN tunnel over IPSec with 2 two spoke.

One tunnel everything Okay. Tunnel UP

But second tunnel problem. DMVPN state IPSEC. I am getting these logs

IOS: c1100-universalk9.17.06.03a.SPA.bin

Router: cisco C1101-4PLTEP (1RU)

Interface: Tunnel14, IPv4 NHRP Details
Type:Spoke, NHRP Peers:2,

# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 xxxxxxxxxxxxx 172.21.0.1 IPSEC 00:01:02 S
1 xxxxxxxxxxxxx 172.21.0.2 NHRP 00:00:53 S

Jan 6 18:05:57: %CRYPTO_ENGINE-3-CSDL_COMPLIANCE_FAIL: Cisco PSB security compliance violation is detected. Use of MD5 by IPSEC key engine is denied
Jan 6 18:05:57: %CRYPTO_ENGINE-3-CSDL_COMPLIANCE_FAIL: Cisco PSB security compliance violation is detected. Use of MD5 by IPSEC key engine is denied
Jan 6 18:05:57: %CRYPTO_ENGINE-3-CSDL_COMPLIANCE_FAIL: Cisco PSB security compliance violation is detected. Use of MD5 by IPSEC key engine is denied
Jan 6 18:05:58: %CRYPTO_ENGINE-3-CSDL_COMPLIANCE_FAIL: Cisco PSB security compliance violation is detected. Use of MD5 by IPSEC key engine is denied
Jan 6 18:05:58: %CRYPTO_ENGINE-3-CSDL_COMPLIANCE_FAIL: Cisco PSB security compliance violation is detected. Use of MD5 by IPSEC key engine is denied

HUB LOGS

 

RTR01#sh crypto ipsec sa peer YYYYYYYY

interface: Tunnel14
Crypto map tag: vodmvpn-prof-pasha-head-1-IPv4, local addr XXXXXX

protected vrf: (none)
local ident (addr/mask/prot/port): (XXXXXXXX/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (YYYYYYYY/255.255.255.255/47/0)
current_peer YYYYYYY port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: XXXXXX, remote crypto endpt.: YYYYYYY
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb Port-channel44.357
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

interface: Tunnel12
Crypto map tag: vodmvpn-prof-pasha-head-1-IPv4, local addr XXXXXXX

protected vrf: (none)
local ident (addr/mask/prot/port): (XXXXXXX/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (YYYYYYY/255.255.255.255/47/0)
current_peer YYYYYYY port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: XXXXXX, remote crypto endpt.: YYYYYYY
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb Port-channel44.390
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:
RTR01#

 

 

1 person had this problem
Labels:
Who Me Too'd this topic