Re: 2911 Router Mitigation 4431 Router Cyrpto Map

Portfast · ‎02-13-2024

We apply cyrpto map under port-channel on 2911 router. The new 4431 router also does not allow entering this definition. What is the best method you can suggest to solve this? We do not have control of the other party. Is there a way to run the tunnel running from this interface without making any changes on the other side?

config-if)#crypto map XnameX

% NOTE: crypto map is configured on tunnel or port-channel interface.

Currently only GDOI crypto map is supported on tunnel or port-channel interface.

Richard Burts · ‎02-14-2024

The post describes a 2911 router with a port channel and a crypto map applied to the port channel and asks this question " Is there a way to run the tunnel running from this interface without making any changes on the other side?". There is much that we do not know about this environment but one thing we can say with confidence is that if you are trying to accomplish encryption of traffic going over the tunnel then no it is not possible to implement this without making changes on the other side.

HTH

Rick

MHM Cisco World · ‎02-14-2024

That true' new router not accept add crypto map under the interface'

For tunnel you dont need anything except IP to tunnel and route toward tunnel head

Interface tunnel 0

Tunnel source <portchannel interface >

Tunnel destination <peer port channel IP>

Tunnel protection ipsec profile <name>

And instead of use acl use static route

Ip route remote-lan tunnel-head

MHM

Giuseppe Larosa · ‎02-14-2024

Hello @Portfast ,

support for crypto map has been removed in latest IOS XE and you need to use a static VTI configuration instead.

consider the config example provided by @MHM Cisco World

Hope to help

Giuseppe

Georg Pauwen · ‎02-14-2024

Hello,

since you can only migrate one (your) side, and you have no control of the other side, check the document linked below:

https://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/ios-ipsec/white-paper-c11-744879.pdf

Portfast · ‎02-15-2024

hello all

I will create a test area and try it today. Thank you for your support

MHM Cisco World · ‎02-15-2024

I recheck my note yesterday'

In IOS XE 16.12 and later you can use vti (tunnel) to connect to legacy crypto map router'

So since 4431 can not support legacy you can use vti as I mention before and peer no need to change it crypto map but in 4431 add

Tunnel protection ipsec police ipv4 <Acl>

This make your VTI in 4431 work as legacy crypto map

MHM

Portfast · ‎03-06-2024

greetings to everyone

I applied the mitigation document but it did not work. Below I share the debug errors I received. As I said, I have no information about the configuration of the other site. I only know it does ipsec with Cisco ASA firewall

If you have anything to suggest, I'd love to hear it.

ar 5 21:03:42.489: ISAKMP-ERROR: (0):Encryption algorithm offered does not match policy!
Mar 5 21:03:42.489: ISAKMP-ERROR: (0):atts are not acceptable. Next payload is 3
Mar 5 21:03:42.489: ISAKMP-ERROR: (0):Encryption algorithm offered does not match policy!
Mar 5 21:03:42.489: ISAKMP-ERROR: (0):atts are not acceptable. Next payload is 3
Mar 5 21:03:42.495: %CRYPTO_ENGINE-3-CSDL_COMPLIANCE_FAIL: Cisco PSB security compliance violation is detected. Use of MD5 by Crypto IKMP is denied
Mar 5 21:03:42.495: ISAKMP-ERROR: (0):failed to set SKEYID
Mar 5 21:03:50.959: %CRYPTO-5-IKMP_AG_MODE_DISABLED: Unable to initiate or respond to Aggressive Mode while disabled
Mar 5 21:03:50.959: ISAKMP-ERROR: (0):No pre-shared key with 212.x.x.x!
Mar 5 21:03:50.959: ISAKMP-ERROR: (0):No Cert or pre-shared address key.
Mar 5 21:03:50.960: ISAKMP-ERROR: (0):construct_initial_message: Can not start Main mode
Mar 5 21:03:50.961: ISAKMP-ERROR: (0):Error while processing SA request: Failed to initialize SA
Mar 5 21:03:50.961: ISAKMP-ERROR: (0):Error while processing KMI message 0, error 2.
Mar 5 21:03:56.081: %CRYPTO-5-IKMP_AG_MODE_DISABLED: Unable to initiate or respond to Aggressive Mode while disabled
Mar 5 21:03:56.081: ISAKMP-ERROR: (0):No pre-shared key with 212.x.x.x!
Mar 5 21:03:56.082: ISAKMP-ERROR: (0):No Cert or pre-shared address key.
Mar 5 21:03:56.082: ISAKMP-ERROR: (0):construct_initial_message: Can not start Main mode
Mar 5 21:03:56.083: ISAKMP-ERROR: (0):Error while processing SA request: Failed to initialize SA
Mar 5 21:03:56.083: ISAKMP-ERROR: (0):Error while processing KMI message 0, error 2.
Mar 5 21:04:00.583: ISAKMP-ERROR: (0):deleting SA reason "Death by retransmission P1" state (R) MM_SA_SETUP (peer 192.168.225.18)
Mar 5 21:04:00.583: ISAKMP-ERROR: (0):deleting SA reason "Death by retransmission P1" state (R) MM_SA_SETUP (peer 192.168.225.18)
Mar 5 21:04:01.714: %CRYPTO-5-IKMP_AG_MODE_DISABLED: Unable to initiate or respond to Aggressive Mode while disabled
Mar 5 21:04:01.714: ISAKMP-ERROR: (0):No pre-shared key with 212.x.x.x!
Mar 5 21:04:01.714: ISAKMP-ERROR: (0):No Cert or pre-shared address key.
Mar 5 21:04:01.715: ISAKMP-ERROR: (0):construct_initial_message: Can not start Main mode
Mar 5 21:04:01.716: ISAKMP-ERROR: (0):Error while processing SA request: Failed to initialize SA
Mar 5 21:04:01.716: ISAKMP-ERROR: (0):Error while processing KMI message 0, error 2.
Mar 5 21:04:06.038: ISAKMP-ERROR: (0):Hash algorithm offered does not match policy!
Mar 5 21:04:06.038: ISAKMP-ERROR: (0):atts are not acceptable. Next payload is 3
Mar 5 21:04:06.038: ISAKMP-ERROR: (0):Encryption algorithm offered does not match policy!
Mar 5 21:04:06.038: ISAKMP-ERROR: (0):atts are not acceptable. Next payload is 3
Mar 5 21:04:06.038: ISAKMP-ERROR: (0):Encryption algorithm offered does not match policy!
Mar 5 21:04:06.038: ISAKMP-ERROR: (0):atts are not acceptable. Next payload is 3
Mar 5 21:04:06.038: ISAKMP-ERROR: (0):Encryption algorithm offered does not match policy!
Mar 5 21:04:06.038: ISAKMP-ERROR: (0):atts are not acceptable. Next payload is 3
Mar 5 21:04:06.038: ISAKMP-ERROR: (0):Encryption algorithm offered does not match policy!
Mar 5 21:04:06.038: ISAKMP-ERROR: (0):atts are not acceptable. Next payload is 3
Mar 5 21:04:06.038: ISAKMP-ERROR: (0):Hash algorithm offered does not match policy!
Mar 5 21:04:06.038: ISAKMP-ERROR: (0):atts are not acceptable. Next payload is 3
Mar 5 21:04:06.038: ISAKMP-ERROR: (0):Hash algorithm offered does not match policy!
Mar 5 21:04:06.038: ISAKMP-ERROR: (0):atts are not acceptable. Next payload is 3
Mar 5 21:04:06.038: ISAKMP-ERROR: (0):Encryption algorithm offered does not match policy!
Mar 5 21:04:06.038: ISAKMP-ERROR: (0):atts are not acceptable. Next payload is 0
Mar 5 21:04:06.056: ISAKMP: (1462):No NAT Found for self or peer
Mar 5 21:04:06.089: ISAKMP-ERROR: (1462):IPSec policy invalidated proposal with error 8
Mar 5 21:04:06.089: ISAKMP-ERROR: (1462):IPSec policy invalidated proposal with error 8
Mar 5 21:04:06.090: ISAKMP-ERROR: (1462):IPSec policy invalidated proposal with error 8
Mar 5 21:04:06.091: ISAKMP-ERROR: (1462):IPSec policy invalidated proposal with error 8
Mar 5 21:04:06.092: ISAKMP-ERROR: (1462):IPSec policy invalidated proposal with error 8
Mar 5 21:04:06.092: ISAKMP-ERROR: (1462):IPSec policy invalidated proposal with error 8
Mar 5 21:04:06.093: ISAKMP-ERROR: (1462):IPSec policy invalidated proposal with error 8
Mar 5 21:04:06.093: ISAKMP-ERROR: (1462):IPSec policy invalidated proposal with error 8
Mar 5 21:04:06.094: ISAKMP-ERROR: (1462):IPSec policy invalidated proposal with error 8
Mar 5 21:04:06.095: ISAKMP-ERROR: (1462):IPSec policy invalidated proposal with error 8
Mar 5 21:04:06.095: ISAKMP-ERROR: (1462):phase 2 SA policy not acceptable! (local 172.16.0.22 remote 10.210.36.1)
Mar 5 21:04:06.095: ISAKMP-ERROR: (1462):deleting node 2997991346 error TRUE reason "QM rejected"
Mar 5 21:04:07.619: ISAKMP-ERROR: (0):Encryption algorithm offered does not match policy!
Mar 5 21:04:07.619: ISAKMP-ERROR: (0):atts are not acceptable. Next payload is 3
Mar 5 21:04:07.619: ISAKMP-ERROR: (0):Encryption algorithm offered does not match policy!
Mar 5 21:04:07.619: ISAKMP-ERROR: (0):atts are not acceptable. Next payload is 3
Mar 5 21:04:07.619: ISAKMP-ERROR: (0):Hash algorithm offered does not match policy!
Mar 5 21:04:07.619: ISAKMP-ERROR: (0):atts are not acceptable. Next payload is 3
Mar 5 21:04:07.619: ISAKMP-ERROR: (0):Encryption algorithm offered does not match policy!
Mar 5 21:04:07.619: ISAKMP-ERROR: (0):atts are not acceptable. Next payload is 0
Mar 5 21:04:07.619: ISAKMP-ERROR: (0):Encryption algorithm offered does not match policy!
Mar 5 21:04:07.619: ISAKMP-ERROR: (0):atts are not acceptable. Next payload is 3
Mar 5 21:04:07.619: ISAKMP-ERROR: (0):Encryption algorithm offered does not match policy!
Mar 5 21:04:07.619: ISAKMP-ERROR: (0):atts are not acceptable. Next payload is 3
Mar 5 21:04:07.626: ISAKMP: (1463):No NAT Found for self or peer
Mar 5 21:04:07.642: ISAKMP-ERROR: (1463):IPSec policy invalidated proposal with error 8
Mar 5 21:04:07.643: ISAKMP-ERROR: (1463):IPSec policy invalidated proposal with error 8
Mar 5 21:04:07.643: ISAKMP-ERROR: (1463):IPSec policy invalidated proposal with error 8
Mar 5 21:04:07.644: ISAKMP-ERROR: (1463):IPSec policy invalidated proposal with error 8
Mar 5 21:04:07.645: ISAKMP-ERROR: (1463):IPSec policy invalidated proposal with error 8
Mar 5 21:04:07.645: ISAKMP-ERROR: (1463):IPSec policy invalidated proposal with error 8
Mar 5 21:04:07.646: ISAKMP-ERROR: (1463):IPSec policy invalidated proposal with error 8
Mar 5 21:04:07.647: ISAKMP-ERROR: (1463):IPSec policy invalidated proposal with error 8
Mar 5 21:04:07.647: ISAKMP-ERROR: (1463):IPSec policy invalidated proposal with error 8
Mar 5 21:04:07.648: ISAKMP-ERROR: (1463):IPSec policy invalidated proposal with error 8
Mar 5 21:04:07.648: ISAKMP-ERROR: (1463):phase 2 SA policy not acceptable! (local 172.16.0.22 remote 10.10.36.1)
Mar 5 21:04:07.649: ISAKMP-ERROR: (1463):deleting node 79940397 error TRUE reason "QM rejected"
Mar 5 21:04:12.490: ISAKMP-ERROR: (0):Encryption algorithm offered does not match policy!
Mar 5 21:04:12.490: ISAKMP-ERROR: (0):atts are not acceptable. Next payload is 3
Mar 5 21:04:12.490: ISAKMP-ERROR: (0):Encryption algorithm offered does not match policy!
Mar 5 21:04:12.490: ISAKMP-ERROR: (0):atts are not acceptable. Next payload is 3
Mar 5 21:04:12.495: %CRYPTO_ENGINE-3-CSDL_COMPLIANCE_FAIL: Cisco PSB security compliance violation is detected. Use of MD5 by Crypto IKMP is denied
Mar 5 21:04:12.495: ISAKMP-ERROR: (0):failed to set SKEYID
Mar 5 21:04:20.958: %CRYPTO-5-IKMP_AG_MODE_DISABLED: Unable to initiate or respond to Aggressive Mode while disabled
Mar 5 21:04:20.958: ISAKMP-ERROR: (0):No pre-shared key with 212x.x.x!
Mar 5 21:04:20.959: ISAKMP-ERROR: (0):No Cert or pre-shared address key.
Mar 5 21:04:20.959: ISAKMP-ERROR: (0):construct_initial_message: Can not start Main mode
Mar 5 21:04:20.960: ISAKMP-ERROR: (0):Error while processing SA request: Failed to initialize SA
Mar 5 21:04:20.960: ISAKMP-ERROR: (0):Error while processing KMI message 0, error 2.no debug all
All possible debugging has been turned off

Richard Burts · ‎03-06-2024

Thanks for the update. There are a few things that I notice in the debug output:

Mar 5 21:04:20.958: ISAKMP-ERROR: (0):No pre-shared key with 212x.x.x!
Mar 5 21:04:20.959: ISAKMP-ERROR: (0):No Cert or pre-shared address key.

Mar 5 21:04:12.490: ISAKMP-ERROR: (0):Encryption algorithm offered does not match policy!

Mar 5 21:04:07.619: ISAKMP-ERROR: (0):Hash algorithm offered does not match policy!

The bottom line is that your router is seriously not in sync with the peer device (probably ASA if I interpret your post correctly). To get an encrypted tunnel to work you need to agree on certain parameters such as encryption keys, encryption algorithm, etc.

HTH

Rick

MHM Cisco World · ‎03-06-2024

We can not know what exactly issue without know the config you use

Can you share config

MHM