IPSec/L2TP server behind the NAT

Unanswered Question
Mar 12th, 2008
User Badges:


I try to set up Cisco 850 router behind the nat and allow clients to create VPN tunnels to it. I get the following error on IKE phase 2:

ISAKMP:(2022): IPSec policy invalidated proposal with error 1024

What does it means and how to fix it?

What I know for sure (tested):

1. Connection is made without problems when NAT is removed betweem server and client

2. Connection is made without problems when Client (not Server) is behind the NAT

3. Client is NAT-T capable (Windows XP SP2. I turned on this feature in the registry as described in Cisco and Microsoft manuals)

4. It does't matter if I forward ports (UDP 500 and UDP 4500) or make Server in DMZ. So it's not port problem.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Anonymous (not verified) Tue, 03/18/2008 - 14:51
User Badges:

This pertains to be an issue with parameter matching on both the ends. Make sure transform-set is configured correctly on both the ends. Check the microsoft article available at http://support.microsoft.com/?id=818043 .


This Discussion