11-02-2009 09:42 AM - edited 02-21-2020 04:22 PM
Hi everyone,
I'm having toruble with a basic configuration DMVPN. In the debugging I can see how ISAKMP phase 1 completes, but them the phase 2 proposal fails. It says something about a cryptomap that doesnt exists. I thought that with these configuration I didn't need a cryptomap. The routers configuration and the debug print screen are attached. Any help would be aprreciated.
Gustavo
Solved! Go to Solution.
11-05-2009 02:42 PM
Ok Guys,
I got 1 problem here. So I think it's an issue with the NAT as well. But the thing is that the router it's not Cisco, it's a Watchguard Firewall X Peak 5500, so I don't know how to bypass ACL over IPSEC connections within this firewall. I also cannot apply a dinamic crypto Map because I don't think it have that option. The only thing I would try it's to stablish transform-set mode to transport, to see what happens.
I also post these issue in a Watchguard forum to see what advises can I get from there.
I would write again after I tried the transport mode on both peers.
Gustavo
11-06-2009 07:40 AM
I finally works, all I needed was to configure the transport mode in the transform-set. Know I know that doing the NAT-Transparency Aware works, even though the firewall is not Cisco, it allow the traffic and the tunnel comes up.
Here's the evidence:
sh cryp ips sa
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr. 190.201.x.x
protected vrf:
local ident (addr/mask/prot/port): (190.201.x.x/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (64.116.x.x/255.255.255.255/47/0)
current_peer: 64.116.x.x:4500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 252, #pkts encrypt: 252, #pkts digest 252
#pkts decaps: 107, #pkts decrypt: 107, #pkts verify 107
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 20, #recv errors 0
local crypto endpt.: 190.201.x.x, remote crypto endpt.: 64.116.x.x
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
current outbound spi: C9662D7
inbound esp sas:
spi: 0xCA073946(3389471046)
transform: esp-3des esp-md5-hmac ,
in use settings ={Transport UDP-Encaps, }
slot: 0, conn id: 2000, flow_id: 1, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4600769/2670)
IV size: 8 bytes
replay detection support: Y
spi: 0x21D068DB(567306459)
transform: esp-3des esp-md5-hmac ,
in use settings ={Transport UDP-Encaps, }
slot: 0, conn id: 2002, flow_id: 3, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4490068/2667)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x2FF4BB8(50285496)
transform: esp-3des esp-md5-hmac ,
in use settings ={Transport UDP-Encaps, }
slot: 0, conn id: 2001, flow_id: 2, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4600769/2667)
IV size: 8 bytes
replay detection support: Y
spi: 0xC9662D7(211182295)
transform: esp-3des esp-md5-hmac ,
in use settings ={Transport UDP-Encaps, }
slot: 0, conn id: 2003, flow_id: 4, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4490063/2659)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:
sh cryp isa sa
dst src state conn-id slot
64.116.x.x 190.201.x.x QM_IDLE 2 0
sh cryp engine connections active
ID Interface IP-Address State Algorithm Encrypt Decrypt
2 Tunnel0 10.10.10.2 set HMAC_MD5+DES_56_CB 0 0
2000 Tunnel0 10.10.10.2 set HMAC_MD5+3DES_56_C 0 1
2001 Tunnel0 10.10.10.2 set HMAC_MD5+3DES_56_C 1 0
2002 Tunnel0 10.10.10.2 set HMAC_MD5+3DES_56_C 0 106
2003 Tunnel0 10.10.10.2 set HMAC_MD5+3DES_56_C 351 0
sh ip nhrp
10.10.10.1/32 via 10.10.10.1, Tunnel0 created 00:24:26, never expire
Type: static, Flags: authoritative used
NBMA address: 64.116.x.x
I'm so happry it works, thanks a lot.
Gustavo
11-03-2016 12:15 AM
Perfect , Worked for me Thank you
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide