01-06-2023 06:30 AM - edited 01-06-2023 06:31 AM
Hi, I have 2 DMVPN tunnel over IPSec with 2 two spoke.
One tunnel everything Okay. Tunnel UP
But second tunnel problem. DMVPN state IPSEC. I am getting these logs
IOS: c1100-universalk9.17.06.03a.SPA.bin
Router: cisco C1101-4PLTEP (1RU)
Interface: Tunnel14, IPv4 NHRP Details
Type:Spoke, NHRP Peers:2,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 xxxxxxxxxxxxx 172.21.0.1 IPSEC 00:01:02 S
1 xxxxxxxxxxxxx 172.21.0.2 NHRP 00:00:53 S
Jan 6 18:05:57: %CRYPTO_ENGINE-3-CSDL_COMPLIANCE_FAIL: Cisco PSB security compliance violation is detected. Use of MD5 by IPSEC key engine is denied
Jan 6 18:05:57: %CRYPTO_ENGINE-3-CSDL_COMPLIANCE_FAIL: Cisco PSB security compliance violation is detected. Use of MD5 by IPSEC key engine is denied
Jan 6 18:05:57: %CRYPTO_ENGINE-3-CSDL_COMPLIANCE_FAIL: Cisco PSB security compliance violation is detected. Use of MD5 by IPSEC key engine is denied
Jan 6 18:05:58: %CRYPTO_ENGINE-3-CSDL_COMPLIANCE_FAIL: Cisco PSB security compliance violation is detected. Use of MD5 by IPSEC key engine is denied
Jan 6 18:05:58: %CRYPTO_ENGINE-3-CSDL_COMPLIANCE_FAIL: Cisco PSB security compliance violation is detected. Use of MD5 by IPSEC key engine is denied
HUB LOGS
RTR01#sh crypto ipsec sa peer YYYYYYYY
interface: Tunnel14
Crypto map tag: vodmvpn-prof-pasha-head-1-IPv4, local addr XXXXXX
protected vrf: (none)
local ident (addr/mask/prot/port): (XXXXXXXX/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (YYYYYYYY/255.255.255.255/47/0)
current_peer YYYYYYY port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: XXXXXX, remote crypto endpt.: YYYYYYY
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb Port-channel44.357
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
interface: Tunnel12
Crypto map tag: vodmvpn-prof-pasha-head-1-IPv4, local addr XXXXXXX
protected vrf: (none)
local ident (addr/mask/prot/port): (XXXXXXX/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (YYYYYYY/255.255.255.255/47/0)
current_peer YYYYYYY port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: XXXXXX, remote crypto endpt.: YYYYYYY
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb Port-channel44.390
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
RTR01#
Solved! Go to Solution.
01-06-2023 08:40 AM - edited 01-08-2023 07:38 AM
since one tunnel is work and one not
add another transform with SHA/SHA2 instead of MD5 with AH.
this make both tunnel work.
if remove the OLD transform and add new one then you need to add this new in all spoke.
01-06-2023 06:38 AM
@Fernandes use SHA or SHA2
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwb76866
Conditions: IPSec tunnel configured with DES/3DES as the encryption algorithm or MD5 HMAC algorithm in the transform set.
Workaround: Use different encryption or HMAC algorithm within the IPSec transform set.
Further Problem Description: An additional fix from CSCwb78173 is needed to completely fix this issue.
01-06-2023 08:40 AM - edited 01-08-2023 07:38 AM
since one tunnel is work and one not
add another transform with SHA/SHA2 instead of MD5 with AH.
this make both tunnel work.
if remove the OLD transform and add new one then you need to add this new in all spoke.
01-08-2023 07:38 AM - edited 01-08-2023 07:38 AM
@Rob Ingram @MHM Cisco World Thank u so much
Solved problem
I use this encryption
crypto isakmp policy 10
encryption aes 256
hash sha256
authentication pre-share
group 14
and
crypto ipsec transform-set xxxxx esp-aes 256 esp-sha256-hmac
mode transport
01-08-2023 07:39 AM
You are so welcome
01-09-2023 01:52 AM
Please remember to select a correct answer as this not only helps others that might have the same problem bot also rewards the experts that have answered your question.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: