cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
23921
Views
0
Helpful
17
Replies
gustavo-salazar
Beginner

DMVPN ISAKMP phase 2 SA policy not acceptable!

Hi everyone,

I'm having toruble with a basic configuration DMVPN. In the debugging I can see how ISAKMP phase 1 completes, but them the phase 2 proposal fails. It says something about a cryptomap that doesnt exists. I thought that with these configuration I didn't need a cryptomap. The routers configuration and the debug print screen are attached. Any help would be aprreciated.

Gustavo

1 ACCEPTED SOLUTION

Accepted Solutions
Herbert Baerten
Cisco Employee

Try this:

crypto ipsec transform-set medium esp-3des esp-md5-hmac

mode transport

Also, since both the spoke and the hub are behind NAT you'll need NAT-T, so definitely don't disable it.

View solution in original post

17 REPLIES 17
gustavo-salazar
Beginner

I tried the command show crypto map in the hub router and the spoke, and I can see what the error message is refered to.

Here's what the Hub router shows:

RPrueba2#sh cryp map

Crypto Map "Tunnel0-head-0" 65536 ipsec-isakmp

Profile name: medium

Security association lifetime: 4608000 kilobytes/3600 seconds

PFS (Y/N): N

Transform sets={

medium,

}

Interfaces using crypto map Tunnel0-head-0:

Tunnel0

And here's what the Spoke router shows:

RPrueba2#sh cryp map

Crypto Map "Tunnel0-head-0" 65536 ipsec-isakmp

Profile name: medium

Security association lifetime: 4608000 kilobytes/3600 seconds

PFS (Y/N): N

Transform sets={

medium,

}

Crypto Map "Tunnel0-head-0" 65537 ipsec-isakmp

Map is a PROFILE INSTANCE.

Peer = 64.116.129.158

Extended IP access list

access-list permit gre host 190.201.x.x host 64.116.x.x

Current peer: 64.116.x.x

Security association lifetime: 4608000 kilobytes/3600 seconds

PFS (Y/N): N

Transform sets={

medium,

}

Interfaces using crypto map Tunnel0-head-0:

Tunnel0

I don't know why the crypto map doesn't shows up in the Hub router. Any thoughts???

Gustavo

sdoremus33
Participant

When you defined the dynamic crypto map, did you integrate this into the static map. Ex:

Step2: Define transform set

Step2: Define the dynamic map

Step 3 integrate the dynamic map into the static map.

Also the dynamic map should have the transform set attributes only!!!

One other question in your MGRE config your network is between HUB and Spk1 , Spk2 correct, one other thing I did notice was your ip nhrp network-id for Spk(2) was set to 50, where the Hub is set for 100 and the other Hub router is set to 200, something to inverstigate further. HTH

sdoremus33
Participant

Spoke router

ip nhrp network-id 50

Hub router

ip nhrp network-id 100

So I changed the network ID numbers to 50. Still doesn't comes up.

Now I got a question. I don't know if you notice but I have a Firewall in the middle doing NAT. In the show crypto map in the Spoke, it says: access-list 103 permit gre host 190.201.x.x host 64.116.x.x. But as you can see int thu hub's FE 0/1 config I have a private IP address 172.16.x.x. So the crypto map is telling me that the tunnel is going to end up on the fireall interface or in the router interface behind the firewall? The NAT process is capable of doing that?

The configuration looks good, however I would try one another command on the spoke router

Set security associateion level per-host.

This command is used so thst the IP source in the spokes IPSEC proxy will be the spokes current physical /32 address, withtout this commaand would rather just use the ANY as destination in the ACL, which would preclude any other spoke router from setting up a physical map connection to the Hub router.

Just a thought. HTH

This command is use in global configuration on the spoke routers.

For the following statement: But as you can see int thu hub's FE 0/1 config I have a private IP address 172.16.x.x. So the crypto map is telling me that the tunnel is going to end up on the fireall interface or in the router interface behind the firewall? The NAT process is capable of doing that?

Also for testing purposes try adding the crypto-map to the outsied facing public interface on the spoke router. (For testing purposes)

sdoremus33
Participant

Just curious what are trhe outputs from the following commands

IPSEC Commands

sh crypto isakmp sa

sh crypto ipsec sa

sh crypto engine connections active

NHS Commands

sh ip nhrp

This could help us out further along with this problem.

sdoremus33
Participant