Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1431
Views
0
Helpful
2
Replies

DMVPN, IPsec, Hub behind NAT, Frontdoor VRF

p.hruby
Level 1
Level 1

‎06-29-2017 04:52 AM - edited ‎02-21-2020 09:21 PM

I'd like to configure DMVPN hub behind static NAT. When Internet interface and Tunnel interface are in  the same VRF on the hub, everything works well. But when I put Internet interface into separate VRF, IPsec fails during phase 2.

Hub configuration:

crypto keyring DMVPN vrf Internet
pre-shared-key address 0.0.0.0 0.0.0.0 key pass
!
!
!
!
crypto isakmp policy 10
authentication pre-share


crypto isakmp profile DMVPN
keyring DMVPN
match identity address 0.0.0.0 Internet
local-address GigabitEthernet0/1
!
!
crypto ipsec transform-set DMVPN esp-3des
mode transport
!
crypto ipsec profile DMVPN
set transform-set DMVPN
set isakmp-profile DMVPN
!

interface Tunnel21
ip address 10.188.1.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication HQpass
ip nhrp network-id 210
ip nhrp redirect
ip tcp adjust-mss 1360
if-state nhrp
tunnel source GigabitEthernet0/1
tunnel mode gre multipoint
tunnel key 210
tunnel vrf Internet
tunnel protection ipsec profile DMVPN

interface GigabitEthernet0/1
ip vrf forwarding Internet
ip address 10.178.2.2 255.255.255.0

*Jun 29 10:50:43.972: ISAKMP: (1004):Checking IPSec proposal 1
*Jun 29 10:50:43.973: ISAKMP: (1004):transform 1, ESP_3DES
*Jun 29 10:50:43.973: ISAKMP: (1004): attributes in transform:
*Jun 29 10:50:43.974: ISAKMP: (1004): encaps is 4 (Transport-UDP)
*Jun 29 10:50:43.974: ISAKMP: (1004): SA life type in seconds
*Jun 29 10:50:43.975: ISAKMP: (1004): SA life duration (basic) of 3600
*Jun 29 10:50:43.975: ISAKMP: (1004): SA life type in kilobytes
*Jun 29 10:50:43.975: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
*Jun 29 10:50:43.979: ISAKMP: (1004):atts are acceptable.
*Jun 29 10:50:43.981: ISAKMP-ERROR: (1004):IPSec policy invalidated proposal with error 32
*Jun 29 10:50:43.983: ISAKMP-ERROR: (1004):phase 2 SA policy not acceptable! (local 10.178.2.2 remote 193.5.1.10)
*Jun 29 10:50:43.984: ISAKMP: (1004):set new node -1103950591 to QM_IDLE
*Jun 29 10:50:43.986: ISAKMP: (1004):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 238628864, message ID = 3191016705

When I put tunnel21 into Internet vrf, it works fine.

interface Tunnel21
ip vrf forwarding Internet
ip address 10.188.1.1 255.255.255.0

Is there anything missing in my configuration?

Petr

1 person had this problem
Labels:
0 Helpful
2 Replies 2

Rob Ingram
VIP
VIP

‎06-29-2017 11:28 AM

I couldn't see it in your config above, but do you have the default route set to use the VRF?

e.g - ip route vrf internet 0.0.0.0 0.0.0.0 x.x.x.x

0 Helpful

p.hruby
Level 1
Level 1
In response to Rob Ingram

‎06-30-2017 12:42 AM

I haven't inserted whole configuration. The static route is there.

ip route vrf Internet 0.0.0.0 0.0.0.0 10.178.2.1

The issue happens in IPsec Phase 2. Communication between hub and spoke works well.

0 Helpful
Customers Also Viewed These Support Documents