I'd like to configure DMVPN hub behind static NAT. When Internet interface and Tunnel interface are in the same VRF on the hub, everything works well. But when I put Internet interface into separate VRF, IPsec fails during phase 2.
crypto isakmp profile DMVPN keyring DMVPN match identity address 0.0.0.0 Internet local-address GigabitEthernet0/1 ! ! crypto ipsec transform-set DMVPN esp-3des mode transport ! crypto ipsec profile DMVPN set transform-set DMVPN set isakmp-profile DMVPN !
interface Tunnel21 ip address 10.188.1.1 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp authentication HQpass ip nhrp network-id 210 ip nhrp redirect ip tcp adjust-mss 1360 if-state nhrp tunnel source GigabitEthernet0/1 tunnel mode gre multipoint tunnel key 210 tunnel vrf Internet tunnel protection ipsec profile DMVPN
interface GigabitEthernet0/1 ip vrf forwarding Internet ip address 10.178.2.2 255.255.255.0
*Jun 29 10:50:43.972: ISAKMP: (1004):Checking IPSec proposal 1 *Jun 29 10:50:43.973: ISAKMP: (1004):transform 1, ESP_3DES *Jun 29 10:50:43.973: ISAKMP: (1004): attributes in transform: *Jun 29 10:50:43.974: ISAKMP: (1004): encaps is 4 (Transport-UDP) *Jun 29 10:50:43.974: ISAKMP: (1004): SA life type in seconds *Jun 29 10:50:43.975: ISAKMP: (1004): SA life duration (basic) of 3600 *Jun 29 10:50:43.975: ISAKMP: (1004): SA life type in kilobytes *Jun 29 10:50:43.975: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0 *Jun 29 10:50:43.979: ISAKMP: (1004):atts are acceptable. *Jun 29 10:50:43.981: ISAKMP-ERROR: (1004):IPSec policy invalidated proposal with error 32 *Jun 29 10:50:43.983: ISAKMP-ERROR: (1004):phase 2 SA policy not acceptable! (local 10.178.2.2 remote 188.8.131.52) *Jun 29 10:50:43.984: ISAKMP: (1004):set new node -1103950591 to QM_IDLE *Jun 29 10:50:43.986: ISAKMP: (1004):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3 spi 238628864, message ID = 3191016705
When I put tunnel21 into Internet vrf, it works fine.
interface Tunnel21 ip vrf forwarding Internet ip address 10.188.1.1 255.255.255.0
Application Protection, Availability & Security
Join our webinar May 6th to gain valuable industry insights into the most recent application cyber attacks and to understand the potential impact bot traffic is having on your business.
The purpose of this document is to demonstrate how ISE authenticate / authorize a user that uses a smart card (PIN + Certificate) and password mechanism to login their system. This document describes the components used for this setup, configuration of IS...
For all versions of the Email Security Appliance (ESA) and Security Management Appliance (SMA), some Secure Sockets Link (SSL) certificates issued from the QuoVadis root certificate authority (CA) trust chain before 2021-03-31 cannot b...
Automation and programmability for networking and security are increasingly important topics. Every release since ISE 1.2 has included new REST API capabilities to better automate and integrate ISE with the rest of your network, appli...