Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

IOS - GRE - "tunnel protect" one end - crypto map the other

I have several IOS systems. One is functioning as the head-end for multipoint GRE tunnels with IPSEC protection using the "tunnel protection ipsec" feature in the newer releases. All of the spokes except one are running new enough code to operate the "tunnel protection ipsec" feature. .... BUT, one spoke that is due for an upgrade has to run crypto maps for now. I cannot get this node to properly negotiate with the head-end. Messages from the head-end debug are:

ISAKMP (0:2988): atts are acceptable.

IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) INBOUND local= x.x.x.x, remote= y.y.y.y,

local_proxy= x.x.x.x/ (type=1),

remote_proxy= y.y.0.0/ (type=4),

protocol= ESP, transform= esp-des esp-sha-hmac ,

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2

CryptoEngine0: validate proposal request

IPSEC(kei_proxy): head = Tunnel0-head-0, map->ivrf = , kei->ivrf =

IPSEC(validate_transform_proposal): proxy identities not supported

ISAKMP (0:2988): IPSec policy invalidated proposal

ISAKMP (0:2988): phase 2 SA policy not acceptable! (local

x.x.x.x remote y.y.y.y)

ISAKMP: set new node 1971153906 to QM_IDLE

CryptoEngine0: generate hmac context for conn id 2988

CryptoEngine0: CRYPTO_ISA_IKE_HMAC(hw)(ipsec)

CryptoEngine0: CRYPTO_ISA_IKE_ENCRYPT(hw)(ipsec)

ISAKMP (0:2988): sending packet to y.y.y.y my_port 500 peer_port 500 (R) QM_IDLE

ISAKMP (0:2988): purging node 1971153906


Re: IOS - GRE - "tunnel protect" one end - crypto map the other

Hi ,

If you are getting problems with your second phase, it is usually an indication of the access lists for your match address. Check that part for troubleshooting second phase ...

New Member

Re: IOS - GRE - "tunnel protect" one end - crypto map the other

you were right. I had to change the mask at the legacy end as the "tunnel protect" end only had a single host mask for gre.