I'd like to configure DMVPN hub behind static NAT. When Internet interface and Tunnel interface are in the same VRF on the hub, everything works well. But when I put Internet interface into separate VRF, IPsec fails during phase 2.
crypto isakmp profile DMVPN keyring DMVPN match identity address 0.0.0.0 Internet local-address GigabitEthernet0/1 ! ! crypto ipsec transform-set DMVPN esp-3des mode transport ! crypto ipsec profile DMVPN set transform-set DMVPN set isakmp-profile DMVPN !
interface Tunnel21 ip address 10.188.1.1 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp authentication HQpass ip nhrp network-id 210 ip nhrp redirect ip tcp adjust-mss 1360 if-state nhrp tunnel source GigabitEthernet0/1 tunnel mode gre multipoint tunnel key 210 tunnel vrf Internet tunnel protection ipsec profile DMVPN
interface GigabitEthernet0/1 ip vrf forwarding Internet ip address 10.178.2.2 255.255.255.0
*Jun 29 10:50:43.972: ISAKMP: (1004):Checking IPSec proposal 1 *Jun 29 10:50:43.973: ISAKMP: (1004):transform 1, ESP_3DES *Jun 29 10:50:43.973: ISAKMP: (1004): attributes in transform: *Jun 29 10:50:43.974: ISAKMP: (1004): encaps is 4 (Transport-UDP) *Jun 29 10:50:43.974: ISAKMP: (1004): SA life type in seconds *Jun 29 10:50:43.975: ISAKMP: (1004): SA life duration (basic) of 3600 *Jun 29 10:50:43.975: ISAKMP: (1004): SA life type in kilobytes *Jun 29 10:50:43.975: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0 *Jun 29 10:50:43.979: ISAKMP: (1004):atts are acceptable. *Jun 29 10:50:43.981: ISAKMP-ERROR: (1004):IPSec policy invalidated proposal with error 32 *Jun 29 10:50:43.983: ISAKMP-ERROR: (1004):phase 2 SA policy not acceptable! (local 10.178.2.2 remote 22.214.171.124) *Jun 29 10:50:43.984: ISAKMP: (1004):set new node -1103950591 to QM_IDLE *Jun 29 10:50:43.986: ISAKMP: (1004):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3 spi 238628864, message ID = 3191016705
When I put tunnel21 into Internet vrf, it works fine.
interface Tunnel21 ip vrf forwarding Internet ip address 10.188.1.1 255.255.255.0
For all versions of the Email Security Appliance (ESA) and Security Management Appliance (SMA), some Secure Sockets Link (SSL) certificates issued from the QuoVadis root certificate authority (CA) trust chain before 2021-03-31 cannot b...
Automation and programmability for networking and security are increasingly important topics. Every release since ISE 1.2 has included new REST API capabilities to better automate and integrate ISE with the rest of your network, appli...
The latest iteration (v2.3.4) of the Cisco Secure Firewall Migration Tool adds public beta support for S2S VPN migrations from ASA:
Policy-based (crypto map) Pre-Shared key authentication type VPN configuration to Firepower Management Center
Cisco Defense Orchestrator (CDO) is a cloud-based, multi-device manager that manages security products like Adaptive Security Appliance (ASA), Firepower Threat Defense next-generation firewall, and Meraki devices, to name a few.
We make improvement...
This document presents the ISE data limiting best practices that can dramatically improve the system performance on ISE.
Your deployment may be impacted if the alarms tab on ISE shows High load average, high CPU or high memoy usage alarm...