Solved: DMVPN over IPSec problem

Fernandes · ‎01-06-2023

Hi, I have 2 DMVPN tunnel over IPSec with 2 two spoke.

One tunnel everything Okay. Tunnel UP

But second tunnel problem. DMVPN state IPSEC. I am getting these logs

IOS: c1100-universalk9.17.06.03a.SPA.bin

Router: cisco C1101-4PLTEP (1RU)

Interface: Tunnel14, IPv4 NHRP Details
Type:Spoke, NHRP Peers:2,

# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 xxxxxxxxxxxxx 172.21.0.1 IPSEC 00:01:02 S
1 xxxxxxxxxxxxx 172.21.0.2 NHRP 00:00:53 S

Jan 6 18:05:57: %CRYPTO_ENGINE-3-CSDL_COMPLIANCE_FAIL: Cisco PSB security compliance violation is detected. Use of MD5 by IPSEC key engine is denied
Jan 6 18:05:57: %CRYPTO_ENGINE-3-CSDL_COMPLIANCE_FAIL: Cisco PSB security compliance violation is detected. Use of MD5 by IPSEC key engine is denied
Jan 6 18:05:57: %CRYPTO_ENGINE-3-CSDL_COMPLIANCE_FAIL: Cisco PSB security compliance violation is detected. Use of MD5 by IPSEC key engine is denied
Jan 6 18:05:58: %CRYPTO_ENGINE-3-CSDL_COMPLIANCE_FAIL: Cisco PSB security compliance violation is detected. Use of MD5 by IPSEC key engine is denied
Jan 6 18:05:58: %CRYPTO_ENGINE-3-CSDL_COMPLIANCE_FAIL: Cisco PSB security compliance violation is detected. Use of MD5 by IPSEC key engine is denied

HUB LOGS

RTR01#sh crypto ipsec sa peer YYYYYYYY

interface: Tunnel14
Crypto map tag: vodmvpn-prof-pasha-head-1-IPv4, local addr XXXXXX

protected vrf: (none)
local ident (addr/mask/prot/port): (XXXXXXXX/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (YYYYYYYY/255.255.255.255/47/0)
current_peer YYYYYYY port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: XXXXXX, remote crypto endpt.: YYYYYYY
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb Port-channel44.357
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

interface: Tunnel12
Crypto map tag: vodmvpn-prof-pasha-head-1-IPv4, local addr XXXXXXX

protected vrf: (none)
local ident (addr/mask/prot/port): (XXXXXXX/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (YYYYYYY/255.255.255.255/47/0)
current_peer YYYYYYY port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: XXXXXX, remote crypto endpt.: YYYYYYY
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb Port-channel44.390
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:
RTR01#

MHM Cisco World · ‎01-06-2023

since one tunnel is work and one not

add another transform with SHA/SHA2 instead of MD5 with AH.
this make both tunnel work.
if remove the OLD transform and add new one then you need to add this new in all spoke.

View solution in original post

Rob Ingram · ‎01-06-2023

@Fernandes use SHA or SHA2

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwb76866

Conditions: IPSec tunnel configured with DES/3DES as the encryption algorithm or MD5 HMAC algorithm in the transform set.

Workaround: Use different encryption or HMAC algorithm within the IPSec transform set.

Further Problem Description: An additional fix from CSCwb78173 is needed to completely fix this issue.

MHM Cisco World · ‎01-06-2023

since one tunnel is work and one not

add another transform with SHA/SHA2 instead of MD5 with AH.
this make both tunnel work.
if remove the OLD transform and add new one then you need to add this new in all spoke.

Fernandes · ‎01-08-2023

@Rob Ingram @MHM Cisco World Thank u so much

Solved problem

I use this encryption

crypto isakmp policy 10
encryption aes 256
hash sha256
authentication pre-share
group 14

and

crypto ipsec transform-set xxxxx esp-aes 256 esp-sha256-hmac
mode transport

MHM Cisco World · ‎01-08-2023

You are so welcome

Marius Gunnerud · ‎01-09-2023

Please remember to select a correct answer as this not only helps others that might have the same problem bot also rewards the experts that have answered your question.

--
Please remember to select a correct answer and rate helpful posts