Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1001
Views
30
Helpful
5
Replies

DMVPN over IPSec problem

Go to solution
Fernandes
Beginner
Beginner

‎01-06-2023 06:30 AM - edited ‎01-06-2023 06:31 AM

Hi, I have 2 DMVPN tunnel over IPSec with 2 two spoke.

One tunnel everything Okay. Tunnel UP

But second tunnel problem. DMVPN state IPSEC. I am getting these logs

IOS: c1100-universalk9.17.06.03a.SPA.bin

Router: cisco C1101-4PLTEP (1RU)

Interface: Tunnel14, IPv4 NHRP Details
Type:Spoke, NHRP Peers:2,

# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 xxxxxxxxxxxxx 172.21.0.1 IPSEC 00:01:02 S
1 xxxxxxxxxxxxx 172.21.0.2 NHRP 00:00:53 S

Jan 6 18:05:57: %CRYPTO_ENGINE-3-CSDL_COMPLIANCE_FAIL: Cisco PSB security compliance violation is detected. Use of MD5 by IPSEC key engine is denied
Jan 6 18:05:57: %CRYPTO_ENGINE-3-CSDL_COMPLIANCE_FAIL: Cisco PSB security compliance violation is detected. Use of MD5 by IPSEC key engine is denied
Jan 6 18:05:57: %CRYPTO_ENGINE-3-CSDL_COMPLIANCE_FAIL: Cisco PSB security compliance violation is detected. Use of MD5 by IPSEC key engine is denied
Jan 6 18:05:58: %CRYPTO_ENGINE-3-CSDL_COMPLIANCE_FAIL: Cisco PSB security compliance violation is detected. Use of MD5 by IPSEC key engine is denied
Jan 6 18:05:58: %CRYPTO_ENGINE-3-CSDL_COMPLIANCE_FAIL: Cisco PSB security compliance violation is detected. Use of MD5 by IPSEC key engine is denied

HUB LOGS

 

RTR01#sh crypto ipsec sa peer YYYYYYYY

interface: Tunnel14
Crypto map tag: vodmvpn-prof-pasha-head-1-IPv4, local addr XXXXXX

protected vrf: (none)
local ident (addr/mask/prot/port): (XXXXXXXX/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (YYYYYYYY/255.255.255.255/47/0)
current_peer YYYYYYY port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: XXXXXX, remote crypto endpt.: YYYYYYY
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb Port-channel44.357
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

interface: Tunnel12
Crypto map tag: vodmvpn-prof-pasha-head-1-IPv4, local addr XXXXXXX

protected vrf: (none)
local ident (addr/mask/prot/port): (XXXXXXX/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (YYYYYYY/255.255.255.255/47/0)
current_peer YYYYYYY port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: XXXXXX, remote crypto endpt.: YYYYYYY
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb Port-channel44.390
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:
RTR01#

 

 

1 person had this problem
Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
MHM Cisco World
VIP Mentor VIP Mentor
VIP Mentor

‎01-06-2023 08:40 AM - edited ‎01-08-2023 07:38 AM

since one tunnel is work and one not 

add another transform with SHA/SHA2 instead of MD5 with AH. 
this make both tunnel work. 
if remove the OLD transform and add new one then you need to add this new in all spoke.

View solution in original post

5 Replies 5

Go to solution
Rob Ingram
VIP Master VIP Master
VIP Master

‎01-06-2023 06:38 AM

@Fernandes use SHA or SHA2

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwb76866

Conditions: IPSec tunnel configured with DES/3DES as the encryption algorithm or MD5 HMAC algorithm in the transform set.

Workaround: Use different encryption or HMAC algorithm within the IPSec transform set.

Further Problem Description: An additional fix from CSCwb78173 is needed to completely fix this issue.

Go to solution
MHM Cisco World
VIP Mentor VIP Mentor
VIP Mentor

‎01-06-2023 08:40 AM - edited ‎01-08-2023 07:38 AM

since one tunnel is work and one not 

add another transform with SHA/SHA2 instead of MD5 with AH. 
this make both tunnel work. 
if remove the OLD transform and add new one then you need to add this new in all spoke.

Go to solution
Fernandes
Beginner
Beginner

‎01-08-2023 07:38 AM - edited ‎01-08-2023 07:38 AM

@Rob Ingram @MHM Cisco World Thank u so much

Solved problem

I use this encryption

crypto isakmp policy 10
encryption aes 256
hash sha256
authentication pre-share
group 14

and

crypto ipsec transform-set xxxxx esp-aes 256 esp-sha256-hmac
mode transport

Go to solution
MHM Cisco World
VIP Mentor VIP Mentor
VIP Mentor
In response to Fernandes

‎01-08-2023 07:39 AM

You are so welcome 

0 Helpful

Go to solution
Marius Gunnerud
VIP Advisor VIP Advisor
VIP Advisor
In response to Fernandes

‎01-09-2023 01:52 AM

Please remember to select a correct answer as this not only helps others that might have the same problem bot also rewards the experts that have answered your question.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Spotlight Award Nomination
Customers Also Viewed These Support Documents