Symptom
Jun 17 11:15:09: %CRYPTO_ENGINE-3-CSDL_COMPLIANCE_FAIL: Cisco PSB security compliance violation is detected. Use of 3DES by IPSec background proc is denied
Jun 17 11:15:09: %CRYPTO_ENGINE-3-CSDL_COMPLIANCE_FAIL: Cisco PSB security compliance violation is detected. Use of 3DES by IPSec background proc is denied
Jun 17 11:15:09: %GDOI-5-GM_FAILED_TO_INSTALL_POLICIES: FAILED: Installation of Reg/Rekey policies from KS 172.19.0.6 for group GETVPN-GROUP & gm identity
Conditions
An IOS-XE router with IPsec VPN configured with DES/3DES as the encryption algorithm or the MD5 HMAC algorithm in the transform set.
Workaround
Downgrade software on a router or disable the CSDL compliance:
crypto engine compliance shield disable
Further Problem Description
The issue can be seen in 17.6.x, 17.7.x, 17.8.x, 17.9.x or 17.10.x software releases.
