Solved: Re: DMVPN ISAKMP phase 2 SA policy not acceptable!

gustavo-salazar · ‎11-02-2009

Hi everyone,

I'm having toruble with a basic configuration DMVPN. In the debugging I can see how ISAKMP phase 1 completes, but them the phase 2 proposal fails. It says something about a cryptomap that doesnt exists. I thought that with these configuration I didn't need a cryptomap. The routers configuration and the debug print screen are attached. Any help would be aprreciated.

Gustavo

Herbert Baerten · ‎11-05-2009

Try this:

crypto ipsec transform-set medium esp-3des esp-md5-hmac

mode transport

Also, since both the spoke and the hub are behind NAT you'll need NAT-T, so definitely don't disable it.

View solution in original post

gustavo-salazar · ‎11-02-2009

I tried the command show crypto map in the hub router and the spoke, and I can see what the error message is refered to.

Here's what the Hub router shows:

RPrueba2#sh cryp map

Crypto Map "Tunnel0-head-0" 65536 ipsec-isakmp

Profile name: medium

Security association lifetime: 4608000 kilobytes/3600 seconds

PFS (Y/N): N

Transform sets={

medium,

}

Interfaces using crypto map Tunnel0-head-0:

Tunnel0

And here's what the Spoke router shows:

RPrueba2#sh cryp map

Crypto Map "Tunnel0-head-0" 65536 ipsec-isakmp

Profile name: medium

Security association lifetime: 4608000 kilobytes/3600 seconds

PFS (Y/N): N

Transform sets={

medium,

}

Crypto Map "Tunnel0-head-0" 65537 ipsec-isakmp

Map is a PROFILE INSTANCE.

Peer = 64.116.129.158

Extended IP access list

access-list permit gre host 190.201.x.x host 64.116.x.x

Current peer: 64.116.x.x

Security association lifetime: 4608000 kilobytes/3600 seconds

PFS (Y/N): N

Transform sets={

medium,

}

Interfaces using crypto map Tunnel0-head-0:

Tunnel0

I don't know why the crypto map doesn't shows up in the Hub router. Any thoughts???

Gustavo

sdoremus33 · ‎11-02-2009

When you defined the dynamic crypto map, did you integrate this into the static map. Ex:

Step2: Define transform set

Step2: Define the dynamic map

Step 3 integrate the dynamic map into the static map.

Also the dynamic map should have the transform set attributes only!!!

sdoremus33 · ‎11-02-2009

One other question in your MGRE config your network is between HUB and Spk1 , Spk2 correct, one other thing I did notice was your ip nhrp network-id for Spk(2) was set to 50, where the Hub is set for 100 and the other Hub router is set to 200, something to inverstigate further. HTH

sdoremus33 · ‎11-02-2009

Spoke router

ip nhrp network-id 50

Hub router

ip nhrp network-id 100

gustavo-salazar · ‎11-03-2009

So I changed the network ID numbers to 50. Still doesn't comes up.

Now I got a question. I don't know if you notice but I have a Firewall in the middle doing NAT. In the show crypto map in the Spoke, it says: access-list 103 permit gre host 190.201.x.x host 64.116.x.x. But as you can see int thu hub's FE 0/1 config I have a private IP address 172.16.x.x. So the crypto map is telling me that the tunnel is going to end up on the fireall interface or in the router interface behind the firewall? The NAT process is capable of doing that?

sdoremus33 · ‎11-04-2009

The configuration looks good, however I would try one another command on the spoke router

Set security associateion level per-host.

This command is used so thst the IP source in the spokes IPSEC proxy will be the spokes current physical /32 address, withtout this commaand would rather just use the ANY as destination in the ACL, which would preclude any other spoke router from setting up a physical map connection to the Hub router.

Just a thought. HTH

This command is use in global configuration on the spoke routers.

sdoremus33 · ‎11-04-2009

For the following statement: But as you can see int thu hub's FE 0/1 config I have a private IP address 172.16.x.x. So the crypto map is telling me that the tunnel is going to end up on the fireall interface or in the router interface behind the firewall? The NAT process is capable of doing that?

Also for testing purposes try adding the crypto-map to the outsied facing public interface on the spoke router. (For testing purposes)

sdoremus33 · ‎11-04-2009

Just curious what are trhe outputs from the following commands

IPSEC Commands

sh crypto isakmp sa

sh crypto ipsec sa

sh crypto engine connections active

NHS Commands

sh ip nhrp

This could help us out further along with this problem.

sdoremus33 · ‎11-04-2009

This looks like an issue with NAT primarily with the dst @172.x.x.x.

One thing you could also try for troubleshooting is use the following oommand to bypass ACL over IPSEC connections

Sysopt connection permit-ipsec

Sysopt connection permit vpn

Usage: sysopt connection permit-vpn

For traffic that enters the security appliance through a VPN tunnel and is then decrypted, use the sysopt connection permit-vpn command in global configuration mode to allow the traffic to bypass interface access lists. Group policy and per-user authorization access lists still apply to the traffic. To disable this feature, use the no form of this command.

sdoremus33 · ‎11-04-2009

I hope some of these issues help you out as I am running into a very similiaer situation .

I notice in looking at the logfs perhaps bypassing ACL NAT could point us in right direction.

Take care

*Oct 30 20:17:05.639: CryptoEngine0: validate proposal request

*Oct 30 20:17:05.639: map_db_find_best did not find matching map

*Oct 30 20:17:05.639: IPSEC(validate_transform_proposal): no IPSEC cryptomap exists for local address 172.16.x.x

*Oct 30 20:17:05.639: ISAKMP:(0:4:SW:1): IPSec policy invalidated proposal

*Oct 30 20:17:05.639: ISAKMP:(0:4:SW:1): phase 2 SA policy not acceptable! (local 172.16.x.x remote 190.201.x.x)

*Oct 30 20:17:05.639: ISAKMP: set new node 457288976 to QM_IDLE

*Oct 30 20:17:05.639: CryptoEngine0: generate hmac context for conn id 4

*Oct 30 20:17:05.639: ISAKMP:(0:4:SW:1):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3

sdoremus33 · ‎11-04-2009

Another troubleshooting ides is to turn off Nat-T

no crypto isakmp nat-traversal

See what happens question do both devices support NAT-T, and keeaplives

sdoremus33 · ‎11-04-2009

One last ides for troubleshooting as I mentioned earlier you can try to add the dynaimc crypto map to the outside interface

Herbert Baerten · ‎11-05-2009

Try this:

crypto ipsec transform-set medium esp-3des esp-md5-hmac

mode transport

Also, since both the spoke and the hub are behind NAT you'll need NAT-T, so definitely don't disable it.

Herbert Baerten · ‎11-05-2009

I forgot to mention: you'll need to configure transport mode on both the hub and the spoke.