I have a functioning DMVPN environment running with two hubs and approx 95 remote offices using 2621XM VPN Bundles. They have been functioning well for quite a few years now. I am now trying to bring up a new office with a couple of differences, this time I'm using a 2821VPN Bundle and will be configuring the tunnel through a NAT router (one side Internet, the other private). I am able to bring up ISAKMP portion of the tunnel with no issues, however when I get to the IPSec (transport mode) proposal the IPSec tunnel never completes and fails on the hub side with the following error message:
003565: May 8 14:07:38.731 edt: map_db_find_best did not find matching map
003566: May 8 14:07:38.731 edt: IPSEC(validate_transform_proposal): no IPSEC cryptomap exists for local address a.a.a.a.
Router configs of one of the Hubs (the other is identical) the NAT router and the Spoke router are included as well as the IPSec debug from the hub and spoke. See attachment for more detail.
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...