cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
594
Views
0
Helpful
2
Replies
Highlighted
Beginner

DMVPN, IPsec, Hub behind NAT, Frontdoor VRF

I'd like to configure DMVPN hub behind static NAT. When Internet interface and Tunnel interface are in  the same VRF on the hub, everything works well. But when I put Internet interface into separate VRF, IPsec fails during phase 2.

Hub configuration:

crypto keyring DMVPN vrf Internet
pre-shared-key address 0.0.0.0 0.0.0.0 key pass
!
!
!
!
crypto isakmp policy 10
authentication pre-share


crypto isakmp profile DMVPN
keyring DMVPN
match identity address 0.0.0.0 Internet
local-address GigabitEthernet0/1
!
!
crypto ipsec transform-set DMVPN esp-3des
mode transport
!
crypto ipsec profile DMVPN
set transform-set DMVPN
set isakmp-profile DMVPN
!

interface Tunnel21
ip address 10.188.1.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication HQpass
ip nhrp network-id 210
ip nhrp redirect
ip tcp adjust-mss 1360
if-state nhrp
tunnel source GigabitEthernet0/1
tunnel mode gre multipoint
tunnel key 210
tunnel vrf Internet
tunnel protection ipsec profile DMVPN

interface GigabitEthernet0/1
ip vrf forwarding Internet
ip address 10.178.2.2 255.255.255.0

*Jun 29 10:50:43.972: ISAKMP: (1004):Checking IPSec proposal 1
*Jun 29 10:50:43.973: ISAKMP: (1004):transform 1, ESP_3DES
*Jun 29 10:50:43.973: ISAKMP: (1004): attributes in transform:
*Jun 29 10:50:43.974: ISAKMP: (1004): encaps is 4 (Transport-UDP)
*Jun 29 10:50:43.974: ISAKMP: (1004): SA life type in seconds
*Jun 29 10:50:43.975: ISAKMP: (1004): SA life duration (basic) of 3600
*Jun 29 10:50:43.975: ISAKMP: (1004): SA life type in kilobytes
*Jun 29 10:50:43.975: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
*Jun 29 10:50:43.979: ISAKMP: (1004):atts are acceptable.
*Jun 29 10:50:43.981: ISAKMP-ERROR: (1004):IPSec policy invalidated proposal with error 32
*Jun 29 10:50:43.983: ISAKMP-ERROR: (1004):phase 2 SA policy not acceptable! (local 10.178.2.2 remote 193.5.1.10)
*Jun 29 10:50:43.984: ISAKMP: (1004):set new node -1103950591 to QM_IDLE
*Jun 29 10:50:43.986: ISAKMP: (1004):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 238628864, message ID = 3191016705

When I put tunnel21 into Internet vrf, it works fine.

interface Tunnel21
ip vrf forwarding Internet
ip address 10.188.1.1 255.255.255.0

Is there anything missing in my configuration?

Petr

Everyone's tags (3)
2 REPLIES 2
VIP Advocate RJI VIP Advocate
VIP Advocate

I couldn't see it in your

I couldn't see it in your config above, but do you have the default route set to use the VRF?

e.g - ip route vrf internet 0.0.0.0 0.0.0.0 x.x.x.x

Beginner

I haven't inserted whole

I haven't inserted whole configuration. The static route is there.

ip route vrf Internet 0.0.0.0 0.0.0.0 10.178.2.1

The issue happens in IPsec Phase 2. Communication between hub and spoke works well.