Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

DMVPN ISAKMP phase 2 SA policy not acceptable!

Hi everyone,

I'm having toruble with a basic configuration DMVPN. In the debugging I can see how ISAKMP phase 1 completes, but them the phase 2 proposal fails. It says something about a cryptomap that doesnt exists. I thought that with these configuration I didn't need a cryptomap. The routers configuration and the debug print screen are attached. Any help would be aprreciated.

Gustavo

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: DMVPN ISAKMP phase 2 SA policy not acceptable!

Try this:

crypto ipsec transform-set medium esp-3des esp-md5-hmac

mode transport

Also, since both the spoke and the hub are behind NAT you'll need NAT-T, so definitely don't disable it.

17 REPLIES
New Member

Re: DMVPN ISAKMP phase 2 SA policy not acceptable!

I tried the command show crypto map in the hub router and the spoke, and I can see what the error message is refered to.

Here's what the Hub router shows:

RPrueba2#sh cryp map

Crypto Map "Tunnel0-head-0" 65536 ipsec-isakmp

Profile name: medium

Security association lifetime: 4608000 kilobytes/3600 seconds

PFS (Y/N): N

Transform sets={

medium,

}

Interfaces using crypto map Tunnel0-head-0:

Tunnel0

And here's what the Spoke router shows:

RPrueba2#sh cryp map

Crypto Map "Tunnel0-head-0" 65536 ipsec-isakmp

Profile name: medium

Security association lifetime: 4608000 kilobytes/3600 seconds

PFS (Y/N): N

Transform sets={

medium,

}

Crypto Map "Tunnel0-head-0" 65537 ipsec-isakmp

Map is a PROFILE INSTANCE.

Peer = 64.116.129.158

Extended IP access list

access-list permit gre host 190.201.x.x host 64.116.x.x

Current peer: 64.116.x.x

Security association lifetime: 4608000 kilobytes/3600 seconds

PFS (Y/N): N

Transform sets={

medium,

}

Interfaces using crypto map Tunnel0-head-0:

Tunnel0

I don't know why the crypto map doesn't shows up in the Hub router. Any thoughts???

Gustavo

New Member

Re: DMVPN ISAKMP phase 2 SA policy not acceptable!

When you defined the dynamic crypto map, did you integrate this into the static map. Ex:

Step2: Define transform set

Step2: Define the dynamic map

Step 3 integrate the dynamic map into the static map.

Also the dynamic map should have the transform set attributes only!!!

New Member

Re: DMVPN ISAKMP phase 2 SA policy not acceptable!

One other question in your MGRE config your network is between HUB and Spk1 , Spk2 correct, one other thing I did notice was your ip nhrp network-id for Spk(2) was set to 50, where the Hub is set for 100 and the other Hub router is set to 200, something to inverstigate further. HTH

New Member

Re: DMVPN ISAKMP phase 2 SA policy not acceptable!

Spoke router

ip nhrp network-id 50

Hub router

ip nhrp network-id 100

New Member

Re: DMVPN ISAKMP phase 2 SA policy not acceptable!

So I changed the network ID numbers to 50. Still doesn't comes up.

Now I got a question. I don't know if you notice but I have a Firewall in the middle doing NAT. In the show crypto map in the Spoke, it says: access-list 103 permit gre host 190.201.x.x host 64.116.x.x. But as you can see int thu hub's FE 0/1 config I have a private IP address 172.16.x.x. So the crypto map is telling me that the tunnel is going to end up on the fireall interface or in the router interface behind the firewall? The NAT process is capable of doing that?

New Member

Re: DMVPN ISAKMP phase 2 SA policy not acceptable!

The configuration looks good, however I would try one another command on the spoke router

Set security associateion level per-host.

This command is used so thst the IP source in the spokes IPSEC proxy will be the spokes current physical /32 address, withtout this commaand would rather just use the ANY as destination in the ACL, which would preclude any other spoke router from setting up a physical map connection to the Hub router.

Just a thought. HTH

This command is use in global configuration on the spoke routers.

New Member

Re: DMVPN ISAKMP phase 2 SA policy not acceptable!

For the following statement: But as you can see int thu hub's FE 0/1 config I have a private IP address 172.16.x.x. So the crypto map is telling me that the tunnel is going to end up on the fireall interface or in the router interface behind the firewall? The NAT process is capable of doing that?

Also for testing purposes try adding the crypto-map to the outsied facing public interface on the spoke router. (For testing purposes)

New Member

Re: DMVPN ISAKMP phase 2 SA policy not acceptable!

Just curious what are trhe outputs from the following commands

IPSEC Commands

sh crypto isakmp sa

sh crypto ipsec sa

sh crypto engine connections active

NHS Commands

sh ip nhrp

This could help us out further along with this problem.

New Member

Re: DMVPN ISAKMP phase 2 SA policy not acceptable!

This looks like an issue with NAT primarily with the dst @172.x.x.x.

One thing you could also try for troubleshooting is use the following oommand to bypass ACL over IPSEC connections

Sysopt connection permit-ipsec

Sysopt connection permit vpn

Usage: sysopt connection permit-vpn

For traffic that enters the security appliance through a VPN tunnel and is then decrypted, use the sysopt connection permit-vpn command in global configuration mode to allow the traffic to bypass interface access lists. Group policy and per-user authorization access lists still apply to the traffic. To disable this feature, use the no form of this command.

New Member

Re: DMVPN ISAKMP phase 2 SA policy not acceptable!

I hope some of these issues help you out as I am running into a very similiaer situation .

I notice in looking at the logfs perhaps bypassing ACL NAT could point us in right direction.

Take care

*Oct 30 20:17:05.639: CryptoEngine0: validate proposal request

*Oct 30 20:17:05.639: map_db_find_best did not find matching map

*Oct 30 20:17:05.639: IPSEC(validate_transform_proposal): no IPSEC cryptomap exists for local address 172.16.x.x

*Oct 30 20:17:05.639: ISAKMP:(0:4:SW:1): IPSec policy invalidated proposal

*Oct 30 20:17:05.639: ISAKMP:(0:4:SW:1): phase 2 SA policy not acceptable! (local 172.16.x.x remote 190.201.x.x)

*Oct 30 20:17:05.639: ISAKMP: set new node 457288976 to QM_IDLE

*Oct 30 20:17:05.639: CryptoEngine0: generate hmac context for conn id 4

*Oct 30 20:17:05.639: ISAKMP:(0:4:SW:1):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3

New Member

Re: DMVPN ISAKMP phase 2 SA policy not acceptable!

Another troubleshooting ides is to turn off Nat-T

no crypto isakmp nat-traversal

See what happens question do both devices support NAT-T, and keeaplives

New Member

Re: DMVPN ISAKMP phase 2 SA policy not acceptable!

One last ides for troubleshooting as I mentioned earlier you can try to add the dynaimc crypto map to the outside interface

Cisco Employee

Re: DMVPN ISAKMP phase 2 SA policy not acceptable!

Try this:

crypto ipsec transform-set medium esp-3des esp-md5-hmac

mode transport

Also, since both the spoke and the hub are behind NAT you'll need NAT-T, so definitely don't disable it.

Cisco Employee

Re: DMVPN ISAKMP phase 2 SA policy not acceptable!

I forgot to mention: you'll need to configure transport mode on both the hub and the spoke.

New Member

Re: DMVPN ISAKMP phase 2 SA policy not acceptable!

Ok Guys,

I got 1 problem here. So I think it's an issue with the NAT as well. But the thing is that the router it's not Cisco, it's a Watchguard Firewall X Peak 5500, so I don't know how to bypass ACL over IPSEC connections within this firewall. I also cannot apply a dinamic crypto Map because I don't think it have that option. The only thing I would try it's to stablish transform-set mode to transport, to see what happens.

I also post these issue in a Watchguard forum to see what advises can I get from there.

I would write again after I tried the transport mode on both peers.

Gustavo

New Member

Re: DMVPN ISAKMP phase 2 SA policy not acceptable!

I finally works, all I needed was to configure the transport mode in the transform-set. Know I know that doing the NAT-Transparency Aware works, even though the firewall is not Cisco, it allow the traffic and the tunnel comes up.

Here's the evidence:

sh cryp ips sa

interface: Tunnel0

Crypto map tag: Tunnel0-head-0, local addr. 190.201.x.x

protected vrf:

local ident (addr/mask/prot/port): (190.201.x.x/255.255.255.255/47/0)

remote ident (addr/mask/prot/port): (64.116.x.x/255.255.255.255/47/0)

current_peer: 64.116.x.x:4500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 252, #pkts encrypt: 252, #pkts digest 252

#pkts decaps: 107, #pkts decrypt: 107, #pkts verify 107

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 20, #recv errors 0

local crypto endpt.: 190.201.x.x, remote crypto endpt.: 64.116.x.x

path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1

current outbound spi: C9662D7

inbound esp sas:

spi: 0xCA073946(3389471046)

transform: esp-3des esp-md5-hmac ,

in use settings ={Transport UDP-Encaps, }

slot: 0, conn id: 2000, flow_id: 1, crypto map: Tunnel0-head-0

sa timing: remaining key lifetime (k/sec): (4600769/2670)

IV size: 8 bytes

replay detection support: Y

spi: 0x21D068DB(567306459)

transform: esp-3des esp-md5-hmac ,

in use settings ={Transport UDP-Encaps, }

slot: 0, conn id: 2002, flow_id: 3, crypto map: Tunnel0-head-0

sa timing: remaining key lifetime (k/sec): (4490068/2667)

IV size: 8 bytes

replay detection support: Y

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x2FF4BB8(50285496)

transform: esp-3des esp-md5-hmac ,

in use settings ={Transport UDP-Encaps, }

slot: 0, conn id: 2001, flow_id: 2, crypto map: Tunnel0-head-0

sa timing: remaining key lifetime (k/sec): (4600769/2667)

IV size: 8 bytes

replay detection support: Y

spi: 0xC9662D7(211182295)

transform: esp-3des esp-md5-hmac ,

in use settings ={Transport UDP-Encaps, }

slot: 0, conn id: 2003, flow_id: 4, crypto map: Tunnel0-head-0

sa timing: remaining key lifetime (k/sec): (4490063/2659)

IV size: 8 bytes

replay detection support: Y

outbound ah sas:

outbound pcp sas:

sh cryp isa sa

dst src state conn-id slot

64.116.x.x 190.201.x.x QM_IDLE 2 0

sh cryp engine connections active

ID Interface IP-Address State Algorithm Encrypt Decrypt

2 Tunnel0 10.10.10.2 set HMAC_MD5+DES_56_CB 0 0

2000 Tunnel0 10.10.10.2 set HMAC_MD5+3DES_56_C 0 1

2001 Tunnel0 10.10.10.2 set HMAC_MD5+3DES_56_C 1 0

2002 Tunnel0 10.10.10.2 set HMAC_MD5+3DES_56_C 0 106

2003 Tunnel0 10.10.10.2 set HMAC_MD5+3DES_56_C 351 0

sh ip nhrp

10.10.10.1/32 via 10.10.10.1, Tunnel0 created 00:24:26, never expire

Type: static, Flags: authoritative used

NBMA address: 64.116.x.x

I'm so happry it works, thanks a lot.

Gustavo

Perfect , Worked for me Thank

Perfect , Worked for me Thank you

14765
Views
0
Helpful
17
Replies
CreatePlease to create content