DMVPN IKEv1 IPsec Phase 2 Issue

391767 · ‎01-02-2025

I have three routers set up in DMVPN. IOU1 is the hub, and IOU2 and IOU3 are spokes. I have IOU2 powered off at the moment to focus on the other routers.

IOU1 has an underlay address of 192.168.123.1 and a tu0 address of 172.16.123.1. IOU1 is also the next hop server.

IOU3 has an underlay address of 192.168.123.3 and a tu0 address of 172.16.123.3.

I configured IOU1 with route-based GRE over IPsec using a crypto map and applied it to the physical interface e0/0.

I configured IOU3 with policy-based GRE over IPsec using tunnel protection with a transport mode transform-set.

The crypto map I configured on IOU1 has one entry for IOU2's underlay IP and another entry for IOU3's underlay IP. I used the same crypto map ACL since it will match both entries.

When I bring the tunnel interfaces up on both the hub and the spoke, I do a "show dmvpn" on the hub. I do not see the dynamic NHRP entry from the spoke.

IKEv1 phase 1 comes up successfully:

IOU1#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
192.168.123.1 192.168.123.3 QM_IDLE 1020 ACTIVE

IPv6 Crypto ISAKMP SA

IOU1#sh crypto isakmp sa det
Codes: C - IKE configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal
T - cTCP encapsulation, X - IKE Extended Authentication
psk - Preshared key, rsig - RSA signature
renc - RSA encryption
IPv4 Crypto ISAKMP SA

C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.

1020 192.168.123.1 192.168.123.3 ACTIVE aes sha psk 5 23:58:32
Engine-id:Conn-id = SW:20

IPv6 Crypto ISAKMP SA

IOU1#

Phase 2 seems to have an issue. IOU1's debug:

IOU1#
*Jan 3 00:51:12.249: Cannot find crypto swsb : in ipsec_process_proposal (), 1590
*Jan 3 00:51:12.249: IPSEC(ipsec_process_proposal): peer address 192.168.123.3 not found
IOU1#
*Jan 3 00:51:42.254: IPSEC(validate_proposal_request): proposal part #1
*Jan 3 00:51:42.254: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 192.168.123.1:0, remote= 192.168.123.3:0,
local_proxy= 192.168.123.1/255.255.255.255/47/0,
remote_proxy= 192.168.123.3/255.255.255.255/47/0,
protocol= ESP, transform= NONE (Transport),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
*Jan 3 00:51:42.254: Crypto mapdb : proxy_match
src addr : 192.168.123.1
dst addr : 192.168.123.3
protocol : 47
src port : 0
dst port : 0
IOU1#

I'm not sure why it's reporting the peer address was not found.

IOU1 Config:

IOU1(config-if)#do sh run int et0/0
Building configuration...

Current configuration : 117 bytes
!
interface Ethernet0/0
description SWITCH1 ETHERNET0
ip address 192.168.123.1 255.255.255.0
crypto map CMAP
end

IOU1(config-if)#

IOU1#sh crypto map
Crypto Map IPv4 "CMAP" 1 ipsec-isakmp
Peer = 192.168.123.2 ! For IOU2
Extended IP access list ACL-CRYPTO
access-list ACL-CRYPTO permit gre host 192.168.123.1 192.168.123.0 0.0.0.255
Current peer: 192.168.123.2
Security association lifetime: 4608000 kilobytes/86400 seconds
Responder-Only (Y/N): N
PFS (Y/N): Y
DH group: group5
Mixed-mode : Disabled
Transform sets={
TSET-IPSEC: { esp-aes esp-sha-hmac } ,
}

Crypto Map IPv4 "CMAP" 2 ipsec-isakmp
Peer = 192.168.123.3 ! For IOU3
Extended IP access list ACL-CRYPTO
access-list ACL-CRYPTO permit gre host 192.168.123.1 192.168.123.0 0.0.0.255
Current peer: 192.168.123.3
Security association lifetime: 4608000 kilobytes/86400 seconds
Responder-Only (Y/N): N
PFS (Y/N): Y
DH group: group5
Mixed-mode : Disabled
Transform sets={
TSET-IPSEC: { esp-aes esp-sha-hmac } ,
}
Interfaces using crypto map CMAP:
Ethernet0/0

Interfaces using crypto map NiStTeSt1:

IOU1#

IOU1#sh crypto ipsec transform-set TSET-IPSEC
{ esp-aes esp-sha-hmac }
will negotiate = { Transport, },

IOU1#

IOU1(config-if)#do sh run int tu0
Building configuration...

Current configuration : 207 bytes
!
interface Tunnel0
ip address 172.16.123.1 255.255.255.0
no ip redirects
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp redirect
tunnel source Ethernet0/0
tunnel mode gre multipoint
end

IOU1(config-if)#

IOU3 Config:

IOU3(config-if)#do sh run int tu0
Building configuration...

Current configuration : 323 bytes
!
interface Tunnel0
ip address 172.16.123.3 255.255.255.0
no ip redirects
ip nhrp map 172.16.123.1 192.168.123.1
ip nhrp map multicast 192.168.123.1
ip nhrp network-id 1
ip nhrp nhs 172.16.123.1
ip nhrp shortcut
tunnel source Ethernet0/0
tunnel mode gre multipoint
tunnel protection ipsec profile PROF-IPSEC
end

IOU3(config-if)#

IOU3(config-if)#do sh crypto ipsec profile
IPSEC profile PROF-IPSEC
Security association lifetime: 4608000 kilobytes/86400 seconds
Responder-Only (Y/N): N
PFS (Y/N): Y
DH group: group5
Mixed-mode : Disabled
Transform sets={
TSET-IPSEC: { esp-aes esp-sha-hmac } ,
}

IPSec profile default: disabled

IOU3(config-if)#

IOU3(config-if)#do sh crypto ipsec transform-set
Transform set TSET-IPSEC: { esp-aes esp-sha-hmac }
will negotiate = { Transport, },
Transform set default: disabled
IOU3(config-if)#

If I remove both the crypto map from IOU1 and the tunnel protection ipsec profile tu0 config from IOU3, the DMVPN comes up okay and I see the NHRP registration on IOU1 from IOU3, so I think this is an IPsec issue.

MHM Cisco World · ‎01-02-2025

This phase 3 of dmvpn

Also you Need to config ipsec profile under tunnel in hub, I see only ipsec profile under spoke

MHM

391767 · ‎01-02-2025

Hi MHM,

This is intentional. From a purely learning perspective, I want to use a crypto map on the hub and tunnel protection on the spoke.

MHM Cisco World · ‎01-02-2025

You can not do that in dmvpn,

You need to make both spoke and hub tunnels use ipsec profile

For p2p you can use new feature of ipsec profile make it acceptable to connect to crypto map.

https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/214728-configure-multi-sa-virtual-tunnel-interf.html

MHM

paul driver · ‎01-03-2025

Hello
are you trying to apply ipsec to the underlay AND overlay ?
can you post the cfg of the hub and a spoke rtr please (attach it in to a file and share that file )

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

391767 · ‎01-03-2025

Hi Paul,

I am trying to apply IPsec to the DMVPN tunnels. Here are the configs. The hub and the spoke are connected with an ethernet switch in GNS3 with all ports configured in access mode on the same VLAN.

paul driver · ‎01-03-2025

Hello @391767
thank you for the reply and the cfg files...
Could you try appending the following please and test again, i believe the issue is the crypto-map is applied to the NBMA interfaces which is negating the ipsec to establish, additionally suggest to use a dynamic pre-share key for the authentication

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

391767 · ‎01-03-2025

Thank you Paul, that fixes the issue.

That begs the question though - the crypto map vs tunnel protection ipsec profile configuration should be a cosmetic one, correct? The bits sent across the wire are the same in each of the two methods. I initially wanted to do a crypto map on the hub and the other method on the spoke to see if I could get it to work as a learning tool.

paul driver · ‎01-03-2025

Hello
tbh VTIs are a newer form of ipsec and much easier to understand in my opinion and also recommended for dmvpn
No need to crypto/nat acls for one and they can be applied to logical interface such as dmvpn tunnels

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul