cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
26658
Views
0
Helpful
17
Replies

DMVPN ISAKMP phase 2 SA policy not acceptable!

gustavo-salazar
Level 1
Level 1

Hi everyone,

I'm having toruble with a basic configuration DMVPN. In the debugging I can see how ISAKMP phase 1 completes, but them the phase 2 proposal fails. It says something about a cryptomap that doesnt exists. I thought that with these configuration I didn't need a cryptomap. The routers configuration and the debug print screen are attached. Any help would be aprreciated.

Gustavo

1 Accepted Solution

Accepted Solutions

Herbert Baerten
Cisco Employee
Cisco Employee

Try this:

crypto ipsec transform-set medium esp-3des esp-md5-hmac

mode transport

Also, since both the spoke and the hub are behind NAT you'll need NAT-T, so definitely don't disable it.

View solution in original post

17 Replies 17

gustavo-salazar
Level 1
Level 1

I tried the command show crypto map in the hub router and the spoke, and I can see what the error message is refered to.

Here's what the Hub router shows:

RPrueba2#sh cryp map

Crypto Map "Tunnel0-head-0" 65536 ipsec-isakmp

Profile name: medium

Security association lifetime: 4608000 kilobytes/3600 seconds

PFS (Y/N): N

Transform sets={

medium,

}

Interfaces using crypto map Tunnel0-head-0:

Tunnel0

And here's what the Spoke router shows:

RPrueba2#sh cryp map

Crypto Map "Tunnel0-head-0" 65536 ipsec-isakmp

Profile name: medium

Security association lifetime: 4608000 kilobytes/3600 seconds

PFS (Y/N): N

Transform sets={

medium,

}

Crypto Map "Tunnel0-head-0" 65537 ipsec-isakmp

Map is a PROFILE INSTANCE.

Peer = 64.116.129.158

Extended IP access list

access-list permit gre host 190.201.x.x host 64.116.x.x

Current peer: 64.116.x.x

Security association lifetime: 4608000 kilobytes/3600 seconds

PFS (Y/N): N

Transform sets={

medium,

}

Interfaces using crypto map Tunnel0-head-0:

Tunnel0

I don't know why the crypto map doesn't shows up in the Hub router. Any thoughts???

Gustavo

sdoremus33
Level 3
Level 3

When you defined the dynamic crypto map, did you integrate this into the static map. Ex:

Step2: Define transform set

Step2: Define the dynamic map

Step 3 integrate the dynamic map into the static map.

Also the dynamic map should have the transform set attributes only!!!

One other question in your MGRE config your network is between HUB and Spk1 , Spk2 correct, one other thing I did notice was your ip nhrp network-id for Spk(2) was set to 50, where the Hub is set for 100 and the other Hub router is set to 200, something to inverstigate further. HTH

sdoremus33
Level 3
Level 3

Spoke router

ip nhrp network-id 50

Hub router

ip nhrp network-id 100

So I changed the network ID numbers to 50. Still doesn't comes up.

Now I got a question. I don't know if you notice but I have a Firewall in the middle doing NAT. In the show crypto map in the Spoke, it says: access-list 103 permit gre host 190.201.x.x host 64.116.x.x. But as you can see int thu hub's FE 0/1 config I have a private IP address 172.16.x.x. So the crypto map is telling me that the tunnel is going to end up on the fireall interface or in the router interface behind the firewall? The NAT process is capable of doing that?

The configuration looks good, however I would try one another command on the spoke router

Set security associateion level per-host.

This command is used so thst the IP source in the spokes IPSEC proxy will be the spokes current physical /32 address, withtout this commaand would rather just use the ANY as destination in the ACL, which would preclude any other spoke router from setting up a physical map connection to the Hub router.

Just a thought. HTH

This command is use in global configuration on the spoke routers.

For the following statement: But as you can see int thu hub's FE 0/1 config I have a private IP address 172.16.x.x. So the crypto map is telling me that the tunnel is going to end up on the fireall interface or in the router interface behind the firewall? The NAT process is capable of doing that?

Also for testing purposes try adding the crypto-map to the outsied facing public interface on the spoke router. (For testing purposes)

sdoremus33
Level 3
Level 3

Just curious what are trhe outputs from the following commands

IPSEC Commands

sh crypto isakmp sa

sh crypto ipsec sa

sh crypto engine connections active

NHS Commands

sh ip nhrp

This could help us out further along with this problem.

sdoremus33
Level 3
Level 3

This looks like an issue with NAT primarily with the dst @172.x.x.x.

One thing you could also try for troubleshooting is use the following oommand to bypass ACL over IPSEC connections

Sysopt connection permit-ipsec

Sysopt connection permit vpn

Usage: sysopt connection permit-vpn

For traffic that enters the security appliance through a VPN tunnel and is then decrypted, use the sysopt connection permit-vpn command in global configuration mode to allow the traffic to bypass interface access lists. Group policy and per-user authorization access lists still apply to the traffic. To disable this feature, use the no form of this command.

I hope some of these issues help you out as I am running into a very similiaer situation .

I notice in looking at the logfs perhaps bypassing ACL NAT could point us in right direction.

Take care

*Oct 30 20:17:05.639: CryptoEngine0: validate proposal request

*Oct 30 20:17:05.639: map_db_find_best did not find matching map

*Oct 30 20:17:05.639: IPSEC(validate_transform_proposal): no IPSEC cryptomap exists for local address 172.16.x.x

*Oct 30 20:17:05.639: ISAKMP:(0:4:SW:1): IPSec policy invalidated proposal

*Oct 30 20:17:05.639: ISAKMP:(0:4:SW:1): phase 2 SA policy not acceptable! (local 172.16.x.x remote 190.201.x.x)

*Oct 30 20:17:05.639: ISAKMP: set new node 457288976 to QM_IDLE

*Oct 30 20:17:05.639: CryptoEngine0: generate hmac context for conn id 4

*Oct 30 20:17:05.639: ISAKMP:(0:4:SW:1):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3

sdoremus33
Level 3
Level 3

Another troubleshooting ides is to turn off Nat-T

no crypto isakmp nat-traversal

See what happens question do both devices support NAT-T, and keeaplives

One last ides for troubleshooting as I mentioned earlier you can try to add the dynaimc crypto map to the outside interface

Herbert Baerten
Cisco Employee
Cisco Employee

Try this:

crypto ipsec transform-set medium esp-3des esp-md5-hmac

mode transport

Also, since both the spoke and the hub are behind NAT you'll need NAT-T, so definitely don't disable it.

I forgot to mention: you'll need to configure transport mode on both the hub and the spoke.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: