Solved: Perfect , Worked for me Thank - Page 2

gustavo-salazar · ‎11-02-2009

Hi everyone,

I'm having toruble with a basic configuration DMVPN. In the debugging I can see how ISAKMP phase 1 completes, but them the phase 2 proposal fails. It says something about a cryptomap that doesnt exists. I thought that with these configuration I didn't need a cryptomap. The routers configuration and the debug print screen are attached. Any help would be aprreciated.

Gustavo

gustavo-salazar · ‎11-05-2009

Ok Guys,

I got 1 problem here. So I think it's an issue with the NAT as well. But the thing is that the router it's not Cisco, it's a Watchguard Firewall X Peak 5500, so I don't know how to bypass ACL over IPSEC connections within this firewall. I also cannot apply a dinamic crypto Map because I don't think it have that option. The only thing I would try it's to stablish transform-set mode to transport, to see what happens.

I also post these issue in a Watchguard forum to see what advises can I get from there.

I would write again after I tried the transport mode on both peers.

Gustavo

gustavo-salazar · ‎11-06-2009

I finally works, all I needed was to configure the transport mode in the transform-set. Know I know that doing the NAT-Transparency Aware works, even though the firewall is not Cisco, it allow the traffic and the tunnel comes up.

Here's the evidence:

sh cryp ips sa

interface: Tunnel0

Crypto map tag: Tunnel0-head-0, local addr. 190.201.x.x

protected vrf:

local ident (addr/mask/prot/port): (190.201.x.x/255.255.255.255/47/0)

remote ident (addr/mask/prot/port): (64.116.x.x/255.255.255.255/47/0)

current_peer: 64.116.x.x:4500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 252, #pkts encrypt: 252, #pkts digest 252

#pkts decaps: 107, #pkts decrypt: 107, #pkts verify 107

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 20, #recv errors 0

local crypto endpt.: 190.201.x.x, remote crypto endpt.: 64.116.x.x

path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1

current outbound spi: C9662D7

inbound esp sas:

spi: 0xCA073946(3389471046)

transform: esp-3des esp-md5-hmac ,

in use settings ={Transport UDP-Encaps, }

slot: 0, conn id: 2000, flow_id: 1, crypto map: Tunnel0-head-0

sa timing: remaining key lifetime (k/sec): (4600769/2670)

IV size: 8 bytes

replay detection support: Y

spi: 0x21D068DB(567306459)

transform: esp-3des esp-md5-hmac ,

in use settings ={Transport UDP-Encaps, }

slot: 0, conn id: 2002, flow_id: 3, crypto map: Tunnel0-head-0

sa timing: remaining key lifetime (k/sec): (4490068/2667)

IV size: 8 bytes

replay detection support: Y

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x2FF4BB8(50285496)

transform: esp-3des esp-md5-hmac ,

in use settings ={Transport UDP-Encaps, }

slot: 0, conn id: 2001, flow_id: 2, crypto map: Tunnel0-head-0

sa timing: remaining key lifetime (k/sec): (4600769/2667)

IV size: 8 bytes

replay detection support: Y

spi: 0xC9662D7(211182295)

transform: esp-3des esp-md5-hmac ,

in use settings ={Transport UDP-Encaps, }

slot: 0, conn id: 2003, flow_id: 4, crypto map: Tunnel0-head-0

sa timing: remaining key lifetime (k/sec): (4490063/2659)

IV size: 8 bytes

replay detection support: Y

outbound ah sas:

outbound pcp sas:

sh cryp isa sa

dst src state conn-id slot

64.116.x.x 190.201.x.x QM_IDLE 2 0

sh cryp engine connections active

ID Interface IP-Address State Algorithm Encrypt Decrypt

2 Tunnel0 10.10.10.2 set HMAC_MD5+DES_56_CB 0 0

2000 Tunnel0 10.10.10.2 set HMAC_MD5+3DES_56_C 0 1

2001 Tunnel0 10.10.10.2 set HMAC_MD5+3DES_56_C 1 0

2002 Tunnel0 10.10.10.2 set HMAC_MD5+3DES_56_C 0 106

2003 Tunnel0 10.10.10.2 set HMAC_MD5+3DES_56_C 351 0

sh ip nhrp

10.10.10.1/32 via 10.10.10.1, Tunnel0 created 00:24:26, never expire

Type: static, Flags: authoritative used

NBMA address: 64.116.x.x

I'm so happry it works, thanks a lot.

Gustavo

Hesham Mohamed El Sayed · ‎11-03-2016

Perfect , Worked for me Thank you

DMVPN ISAKMP phase 2 SA policy not acceptable!